PoshCode Logo PowerShell Code Repository

Set-UserCannotChangePass (modification of post by view diff)
embed code: <script type="text/javascript" src="http://PoshCode.org/embed/682"></script>download | new post

Set the “user Cannot Change Password” property on an active directory user object

  1. #########1#########2#########3#########4#########5#########6#########7#########8#########9#########1
  2. #########0#########0#########0#########0#########0#########0#########0#########0#########0#########0
  3. #
  4. # Author: Erik McCarty
  5. #
  6. # Description: Set the "user Cannot Change Password" property on an active
  7. # directory user object
  8. #
  9. # Remarks: There is poor documentation on the internet that would lead you
  10. # to believe the $user.userAccountControl property value bit 0x000040 can
  11. # be set to turn on the "user Cannot Change Password" account property.
  12. # However you cannot assign this permission by directly modifying the
  13. # userAccountControl attribute.
  14. #
  15. # History:
  16. # 20080107 EWM Initial Creation
  17. #
  18. # reference:
  19. #       http://msdn2.microsoft.com/en-us/library/aa746398.aspx
  20. #       http://mow001.blogspot.com/2006/08/powershell-and-active-directory-part-8.html
  21. #       http://ewmccarty.spaces.live.com/blog/cns!CE2AE9EFF99E6598!132.entry
  22. # Example:
  23. #
  24. #  Set-UserCannotChangePassword "BMcClellan"
  25. #
  26. #########1#########2#########3#########4#########5#########6#########7#########8#########9#########1
  27. #########0#########0#########0#########0#########0#########0#########0#########0#########0#########0
  28. #
  29. function set-UserCannotChangePassword( [string] $sAMAccountName ){
  30.    # set variables
  31.    $everyOne = [System.Security.Principal.SecurityIdentifier]'S-1-1-0'
  32.    $self = [System.Security.Principal.SecurityIdentifier]'S-1-5-10'
  33.    $SelfDeny = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
  34.                               $self,'ExtendedRight','Deny','ab721a53-1e2f-11d0-9819-00aa0040529b')
  35.    $SelfAllow = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
  36.                               $self,'ExtendedRight','Allow','ab721a53-1e2f-11d0-9819-00aa0040529b')
  37.    $EveryoneDeny = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
  38.                            $Everyone,'ExtendedRight','Deny','ab721a53-1e2f-11d0-9819-00aa0040529b')
  39.    $EveryOneAllow = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
  40.                            $Everyone,'ExtendedRight','Allow','ab721a53-1e2f-11d0-9819-00aa0040529b')
  41.  
  42.    # find the user object in the default domain
  43.    $searcher = New-Object DirectoryServices.DirectorySearcher
  44.    $searcher.filter = "(&(samaccountname=$sAMAccountName))"
  45.    $results = $searcher.findone()
  46.    $user = $results.getdirectoryentry()
  47.  
  48.    # set "user cannot change password"
  49.    $user.psbase.get_ObjectSecurity().AddAccessRule($selfDeny)
  50.    $user.psbase.get_ObjectSecurity().AddAccessRule($EveryoneDeny)
  51.    $user.psbase.CommitChanges()
  52. }

Submit a correction or amendment below (click here to make a fresh posting)
After submitting an amendment, you'll be able to view the differences between the old and new posts easily.

Syntax highlighting:


Remember me