How can I revoke users ability to change password in Active Directory? 2

[AndyH1]

Im not very familiar with using Active Directory, having in the past just done reads etc.

Ive been asked to write either a win service or a script (preferably in c# .net) which will set the property revoke the users privilege to reset their user password if pwdLastSet - 0 (ie password expired) as they want them to set it indirectly through another app once expired.

Whilst the 'User cannot change their password' attribute is visible in the LDAP as a bit in the userAccountControl attribute this bit is read only. As I understand the privilege has to be set through modification of the users Access Control List (ACL).

Can this be done through a windows service? and could someone advise me on how to do this.

I hope someone can help and thankyou
Andy

 

[jmeckley]

I would start by figuring out how to do this using LDAP commands (not the GUI). Once you know the commands you can use a powershell script or .Net app to execute the commands.

if you need this for an IT admin role that a powershell script would be the way to go. If you want a pretty UI for your standard end user then a simple windows form (or WPF) would work.

forum774 would be a good place to ask about the LDAP commands/structure. After that you need to decide on powershell or .Net.

for ps help use forum1619
for .Net you'll want to take a look at the System.DirectoryServices assembly and namespace.

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[AndyH1]

Thanks Jason for your help. I think the main problem is needing to set it via the Access Control List (ACL), so I cant use standard LDAP to set the value. I'm not really familiar with PowerScript as my main role is web development, with only a bit of applications stuff

Appreciate your help
Thanks
Andy

 

[jmeckley]

I haven't worked with ACL directly before. All told I would figure out how to do this without .Net. If you need a pretty UI use .Net to execute whatever scripts may be necessary.

PowerShell is a command line, scripting language by MS. It replaces Batch (.bat) files and has full access to the .Net framework. Think .Net meets unix/shell scripting!

Jason Meckley
Programmer

faq855-7190
faq732-7259

 

[AndyH1]

Thanks Jason for pointing me in the right direction. Sounds like Powershell is the best way to go, as they dont need an interface.

Think I'll mirror the question about the ACL on the Powershell forum and start getting myself up to speed on Powershell

Again thankyou

Andy

 

[ClanVooDooBoy]

Hi all,

Yes you can use powershell. But using scripts frequently is not good. Either you go for the GPO's or may try out some third party tools. Try out the Lepide Active Directory Self Service. it has the same features. See the link below and have a quick look at the features, try out the trial version.

Hope it helps.
Thank you
Anil

 

[AndyH1]

ClanVooDooBoy,

Thanmks for the advice. The script as I understand is only a temporary until they can work something out more thoroughly. basically though the aim is to revoke users permissions to change their password via Active Directory directly once it has expired and only allow through the other app, I'm not sure Lepide Active Directory Self Service would really be useful as it seems to be for the opposite use. Thankyou for your help though - its appreciated.

 

[ClanVooDooBoy]

AndyH1,

If I am not wrong, you want to use 2 different tool for this purpose. now the question is why exactly you want to do that, what are you looking for to be done. I want you to mention it again as once the password is expired, user need to reset it and it can't be changed and If you want the admin, not to allow the users to reset the password on their own once it has been expired, then the users can be restricted.



Anilkumar
Lepide Softwares

http://www.lepide.com