user password properties

[Jerry Parlee]

A couple of related puzzles:



The first script almost works.

I'm trying to create a number of users (in a separate script for this
purpose) and enable their account and set their passwords not to expire.



The create-account script (not shown) works fine. This part, whether
integral to the create-account script or stand-alone, manages to do the
second if statement, but not the first. If I swap the if statements it still
does the second, but not the first.



What would cause it to do that? Is it the case that you can only do one
operation at a time? Only the last one takes?



++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Const ADS_UF_ACCOUNTDISABLE = 2

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000



Set objUser = GetObject
("LDAP://cn=Atest,ou=PsyUsers,dc=xxx,dc=uuuu,dc=edu")



intUAC = objUser.Get("userAccountControl")



If intUAC AND ADS_UF_ACCOUNTDISABLE Then

objUser.Put "userAccountControl", intUAC XOR ADS_UF_ACCOUNTDISABLE

objUser.SetInfo

End If



If not intUAC AND ADS_UF_DONT_EXPIRE_PASSWD Then

objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD

objUser.SetInfo

End If



+++++++++++++++++++++++++++++++++++++++++++++++



And. I can't make this work at all. It says something in the book that the
can't change password property is in "userAccountControl" , but then says
something about it being an "nTSecurityDescriptor". I am not at all clear on
the syntax, I've swapped both values in every permutation, but not got it to
do anything. I've also played with "if" and "if not", doesn't seem to help.



+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Const ADS_UF_PASSWD_CANT_CHANGE = &h00400



Set objUser = GetObject
("LDAP://cn=Atest,ou=PsyUsers,dc=xxx,dc=uuuu,dc=edu")



intUAC = objUser.Get("userAccountControl")



if not intNSD AND ADS_UF_PASSWD_CANT_CHANGE Then

objUser.Put "nTSecurityDescriptor", intUAC XOR ADS_UF_PASSWD_CANT_CHANGE

objUser.SetInfo

End If



+++++++++++++++++++++++++++++++++++++++++++++++



Thanks,

Jerry

 

[Joe Richards [MVP]]

OK for your first problem where the second if works but not the first... They are probably both working but anytime the
second works it overwrites what you did in the first because you

1. Get the current useraccountcontrol value into a temp copy
2. Do a compare on the temp copy and then if it matches what you want you change the useraccountcontrol in AD instead of
your temp copy
3. Do a compare on the temp copy and then if it matches what you want you change the useraccountcontrol in AD instead of
your temp copy.

You either need to add step 2B, if changed AD, reload temp. Or you you need to change the temp and add step 4, write
temp to AD.



The password can't change can't be done with the LDAP provider by setting the useraccountcontrol. That is because the
functionality was moved to the security descriptor of the user object for that in AD. You can either work on changing
the security descriptor or you can jump to the WinNT provider for that piece of the code and modify the object there.
Note that that will require more permissions than it would with the LDAP provider and is less efficient though. However
the compensating factor is that you can screw things pretty badly if you screw the security descriptor when you muck
with it.

 

[Jerry Parlee]

OIC.

Of course.
Thanks.

I'll muddle with the user change password thing. I wonder if it be easier,
and just as effective, to hide that property in a GPO.
Jerry

OK for your first problem where the second if works but not the first...

They are probably both working but anytime the

second works it overwrites what you did in the first because you

1. Get the current useraccountcontrol value into a temp copy
2. Do a compare on the temp copy and then if it matches what you want you

change the useraccountcontrol in AD instead of

your temp copy
3. Do a compare on the temp copy and then if it matches what you want you

change the useraccountcontrol in AD instead of

your temp copy.

You either need to add step 2B, if changed AD, reload temp. Or you you

need to change the temp and add step 4, write

temp to AD.



The password can't change can't be done with the LDAP provider by setting

the useraccountcontrol. That is because the

functionality was moved to the security descriptor of the user object for

that in AD. You can either work on changing

the security descriptor or you can jump to the WinNT provider for that

piece of the code and modify the object there.

Note that that will require more permissions than it would with the LDAP

provider and is less efficient though. However

the compensating factor is that you can screw things pretty badly if you

screw the security descriptor when you muck