Preventing a User from Changing Her Password






Preventing a User from Changing Her Password

Problem

You want to disable a user's ability to change her password.

Solution

Using a graphical user interface
  1. Open the ADUC snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user you want to modify and click Find Now.

  5. In the Search Results window, double-click on the user.

  6. Click the Account tab.

  7. Under Account options, check the box beside "User cannot change password."

  8. Click OK.

Using a command-line interface
	> dsmod user <UserDN> -canchpwd no

Using VBScript
	' This code disables a user's ability to change  
password
	' ------ SCRIPT CONFIGURATION ------ 
	strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
	' ------ END CONFIGURATION ---------

	Const ACETYPE_ACCESS_DENIED_OBJECT = 6
	Const ACEFLAG_OBJECT_TYPE_PRESENT = 1
	Const RIGHT_DS_CONTROL_ACCESS = 256
	Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

	set objUser = GetObject("LDAP://" & strUserDN)
	set objSD = objUser.Get("ntSecurityDescriptor")
	set objDACL = objSD.DiscretionaryAcl

	' Add a deny ACE for Everyone
	set objACE = CreateObject("AccessControlEntry")
	objACE.Trustee = "Everyone"
	objACE.AceFlags = 0
	objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT
	objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT
	objACE.ObjectType = CHANGE_PASSWORD_GUID
	objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS
	objDACL.AddAce objACE

	' Add a deny ACE for Self
	' (This is only necessary to prevent a  
user from
	' changing their own password.)
	set objACE = CreateObject("AccessControlEntry")
	objACE.Trustee = "Self"
	objACE.AceFlags = 0
	objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT
	objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT
	objACE.ObjectType = CHANGE_PASSWORD_GUID
	objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS
	objDACL.AddAce objACE

	objSD.DiscretionaryAcl = objDACL
	objUser.Put "nTSecurityDescriptor", objSD
	objUser.SetInfo
	WScript.Echo "Enabled no password changing for " & strUserDN

Discussion

Even though in the GUI solution you check and uncheck the "User cannot change password" setting, actually making the change in Active Directory is a little more complicated as is evident in the VBScript solution. Not allowing a user to change her password consists of setting two deny Change Password ACEs on the target user object. One deny ACE is for the Everyone account and the other is for Self.

The VBScript solution should work as is, but it is not very robust in terms of checking to see if the ACEs already exist and making sure they are in the proper order. If you need to make the code more robust, we suggest checking out MS KB 269159 for more information on setting ACEs properly.

See Also

MS KB 269159 (How to Use Visual Basic and ADsSecurity.dll to Properly Order ACEs in an ACL)



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows