Preventing a User from Changing Her Password in Domain

Posted: January 14, 2010 in Active Directory, Networking, Server, System Information
Tags: , ,


Problem

You want to disable a user’s ability to change her password.

Solution

Using a graphical user interface

  1. Open the ADUC snap-in.
  2. In the left pane, right-click on the domain and select Find.
  3. Select the appropriate domain beside In.
  4. Beside Name, type the name of the user you want to modify and click Find Now.
  5. In the Search Results window, double-click on the user.
  6. Click the Account tab.
  7. Under Account options, check the box beside “User cannot change password.”
  8. Click OK.

Using a command-line interface

> dsmod user <UserDN> -canchpwd no

Using VBScript

‘ This code disables a user’s ability to change

password

‘ —— SCRIPT CONFIGURATION ——

strUserDN = “<UserDN>” ‘ e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com

‘ —— END CONFIGURATION ———

Const ACETYPE_ACCESS_DENIED_OBJECT = 6

Const ACEFLAG_OBJECT_TYPE_PRESENT = 1

Const RIGHT_DS_CONTROL_ACCESS = 256

Const CHANGE_PASSWORD_GUID = “{ab721a53-1e2f-11d0-9819-00aa0040529b}”

set objUser = GetObject(“LDAP://” & strUserDN)

set objSD = objUser.Get(“ntSecurityDescriptor”)

set objDACL = objSD.DiscretionaryAcl

‘ Add a deny ACE for Everyone

set objACE = CreateObject(“AccessControlEntry”)

objACE.Trustee = “Everyone”

objACE.AceFlags = 0

objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT

objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT

objACE.ObjectType = CHANGE_PASSWORD_GUID

objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS

objDACL.AddAce objACE

‘ Add a deny ACE for Self

‘ (This is only necessary to prevent a

user from

‘ changing their own password.)

set objACE = CreateObject(“AccessControlEntry”)

objACE.Trustee = “Self”

objACE.AceFlags = 0

objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT

objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT

objACE.ObjectType = CHANGE_PASSWORD_GUID

objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS

objDACL.AddAce objACE

objSD.DiscretionaryAcl = objDACL

objUser.Put “nTSecurityDescriptor”, objSD

objUser.SetInfo

WScript.Echo “Enabled no password changing for ” & strUserDN

Discussion

Even though in the GUI solution you check and uncheck the “User cannot change password” setting, actually making the change in Active Directory is a little more complicated as is evident in the VBScript solution. Not allowing a user to change her password consists of setting two deny Change Password ACEs on the target user object. One deny ACE is for the Everyone account and the other is for Self.

The VBScript solution should work as is, but it is not very robust in terms of checking to see if the ACEs already exist and making sure they are in the proper order. If you need to make the code more robust, we suggest checking out MS KB 269159 for more information on setting ACEs properly.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s