userAccountControl Changes

[Guest]

Hello Everyone,

I need to change all users in AD with following options

A- User Cannot Change Password
B - Password never Expires

When I export the values of a test user using LDIFDE it exports a value of
66048 , But actually it should be 66112. Same is the case when I import this
value through LDIFDE.

On some research I saw a MS Document that says - You can read this flag but
you cannot set it directly.

I was depending heavily on my little experience with LDIFDE to get this done
and now I am stuck. Changing it manually would be very time consuming.

I am sure many of you might have gone through this issue before and might
have come up with some great ideas. Any help/suggestions/pointers.. Please.

Thanks
IK

 

[Michael Holzemer]

Hello Everyone,

I need to change all users in AD with following options

A- User Cannot Change Password
B - Password never Expires

When I export the values of a test user using LDIFDE it exports a
value of 66048 , But actually it should be 66112. Same is the case
when I import this value through LDIFDE.

On some research I saw a MS Document that says - You can read this
flag but you cannot set it directly.

I was depending heavily on my little experience with LDIFDE to get
this done and now I am stuck. Changing it manually would be very time
consuming.

I am sure many of you might have gone through this issue before and
might have come up with some great ideas. Any
help/suggestions/pointers.. Please.

Thanks
IK

Do it through script.
Setting a Password So It Never Expires
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/scrug52.asp

Changing Flags in the userAccountControl Attributes
http://www.microsoft.com/technet/tr...echnet/scriptcenter/scrguide/sas_usr_vrbt.asp
--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

 

[Richard Mueller [MVP]]

Do it through script.
Setting a Password So It Never Expires
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ScriptCenter/user/scrug52.asp

Changing Flags in the userAccountControl Attributes
http://www.microsoft.com/technet/tr...echnet/scriptcenter/scrguide/sas_usr_vrbt.asp
--
Regards,

Michael Holzemer
No email replies please - reply in newsgroup

Learn script faster by searching here
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/default.asp

Hi,

The userAccountControl attribute has a bit for ADS_UF_PASSWD_CANT_CHANGE,
but this does not have the intended affect. Instead, you must add two Access
Conrol Entries (ACE's) to the Discretionary Access Control List (DACL) of
the security descriptor for the user. I have a sample VBScript program that
does this for a specified user. The program is linked on this page:

http://www.rlmueller.net/Cannot Change PW.htm

The user Distinguished Name is passed to the program as a parameter. And, I
see that the TechNet Script Center has a similar program:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/scriptcenter/user/ScrUG29.asp

To do this for all users in the domain you have two options. One would be to
use ADO to retrieve the Distinguished Name (DN) of all users. Then, loop
through the recordset returned by ADO, bind to each user (using the
Distinguished Name), modify userAccountControl for "Password never expires",
and run the code to add the two ACE's to the DACL so the user does not have
permission to change their password.

However, I would recommend doing this in two steps, since it might not be
wise for admin/training/guest/built-in accounts, etc. I would run a program
to output the Distinguished Name of all users to either a text file or a
spreadsheet. Then, review the text file or spreadsheet so it only has the
DN's for users that should be modified. Then, run a second script to read
the user DN's, bind to each user object, modify userAccountControl, and add
the two ACE's. This also allows you to test the program on a small test
group before running it on everyone else.

A sample VBScript program to dump the DN of all users to a text file:

http://www.rlmueller.net/Create User List 2.htm

A sample VBScript program to dump all user DN's to an Excel spreadsheet:

http://www.rlmueller.net/Create User List 3.htm

A sample program that sets the password for users specified in a text file.
This reads the DN from the text file and binds to each user. Instead of
setting the password, you would alter userAccountControl and add the two
ACE's:

http://www.rlmueller.net/Set Passwords 2.htm

And, an example program that reads DN's from an Excel spreadsheet, binds to
each user, and operates on the object:

http://www.rlmueller.net/UpdateUserProfile.htm

The example modifies the profilePath attribute for each user in the
spreadsheet. The user DN is in the first column and the new profilePath is
in the second column. In your case, you only need to read the first column
(the DN). You can modify this program to alter userAccountControl and add
the two ACE's for each user instead.

 

[Guest]

Looks Great. I will start working on it.

Thanks
IK