Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

How to set the "User Cannot Change Password" option by using a program


View products that this article applies to.

Summary

This article describes how to set the User Cannot Change Password option by using a program.

↑ Back to the top


More information

In Windows 2000, an administrator can set the User Cannot Change Password option. This option can set the access control list (ACL) on the objects of the users so that the users cannot change their passwords when this option is selected. In some situations, you may want to use this option in a batch process by using a program.

Create a file with a .vbs extension, and then copy the following text (code) into that file. Then, change the distinguished name (DN) of the user to the path that you want.

WARNING: The sample code that is included in this Knowledge Base article does not reorder the Access Control Entries (ACEs). The programmer must set the correct order of ACEs in a security descriptor. Correct order, known as "cannonicalization of the ACL," requires (among other things) that all "deny" ACEs are listed before all "allow" ACEs in the ACL. For more information about the correct ordering of the ACEs, click the following article number to view the article in the Microsoft Knowledge Base:
269159 How to use Visual Basic and ADsSecurity.dll to properly order ACEs in an ACL
For more information about how to use Microsoft Active Directory Services Interface to properly order ACLs, click the following article number to view the article in the Microsoft Knowledge Base:
279682 How to use ADsSecurity.dll to add an access control entry to an NTFS folder
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
                                            
Dim oACESelfSelf, oACEEveryone
Dim oSecDescriptor
Dim oDACL
Dim oUSer
                                                                
Set oACESelf = CreateObject("AccessControlEntry")
Set oACEEveryone = CreateObject("AccessControlEntry")
                                                                                
'-- Create the Access Control Entry for Self---
oACESelf.Trustee = "NT AUTHORITY\SELF"
oACESelf.AceFlags = 0
oACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
oACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
oACESelf.ObjectType = CHANGE_PASSWORD_GUID
oACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
                                                                 
' --- Create the Access Control Entry for Everyone---
oACEEveryone.Trustee = "EVERYONE"
oACEEveryone.AceFlags = 0
oACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
oACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
oACEEveryone.ObjectType = CHANGE_PASSWORD_GUID
oACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

'---Get the user Object
Set oUSer = GetObject("LDAP://cn=todd,ou=na,dc=microsoft,dc=com")

'--- Get this objects Security Descriptor
Set oSecDescriptor = oUSer.Get("ntSecurityDescriptor")
                                                                 
'--- Get the Discretionary ACL ---
Set oDACL = oSecDescriptor.DiscretionaryAcl
                                                                 
'-- Add our new ACEs and replace DACL---
oDACL.AddAce oACESelf
oDACL.AddAce oACEEveryone
                                                                 
' -- Put the Security Descriptor back on the object --
oUSer.Put "ntSecurityDescriptor", oSecDescriptor
oUSer.SetInfo
                                                                                 
' -- Clean up --
Set oUser = Nothing
Set oACESelf = Nothing
Set oACEEveryone = Nothing
Set oDACL = Nothing
Set oSecDescriptor = Nothing
					
Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

↑ Back to the top


Keywords: KB301287, kbhowto, kbenv

↑ Back to the top

Article Info
Article ID : 301287
Revision : 8
Created on : 10/11/2007
Published on : 10/11/2007
Exists online : False
Views : 473