Recipe 6.20 Preventing a User from Changing His Password

6.20.1 Problem

You want to disable a user's ability to change his password.

6.20.2 Solution

6.20.2.1 Using a graphical user interface
  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user you want to modify and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Click the Account tab.

  7. Under Account options, check the box beside User cannot change password.

  8. Click OK.

6.20.2.2 Using a command-line interface
> dsmod user <UserDN> -canchpwd no
6.20.2.3 Using VBScript
' This code disables a user's ability to change password ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>"    ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- Const ACETYPE_ACCESS_DENIED_OBJECT = 6 Const ACEFLAG_OBJECT_TYPE_PRESENT = 1 Const RIGHT_DS_CONTROL_ACCESS = 256 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" set objUser = GetObject("LDAP://" & strUserDN) set objSD = objUser.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Add a deny ACE for Everyone set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Everyone" objACE.AceFlags = 0 objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE ' Add a deny ACE for Self set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Self" objACE.AceFlags = 0 objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE objSD.DiscretionaryAcl = objDACL objUser.Put "nTSecurityDescriptor", objSD objUser.SetInfo WScript.Echo "Enabled no password changing for " & strUserDN

6.20.3 Discussion

Even though in the GUI solution you check and uncheck the "User cannot change password" setting, actually making the change in Active Directory is a little more complicated as is evident in the VBScript solution. Not allowing a user to change her password consists of setting two deny Change Password ACEs on the target user object. One deny ACE is for the Everyone account and the other is for Self.

The VBScript solution should work as is, but it is not very robust in terms of checking to see if the ACEs already exist and making sure they are in the proper order. If you need to make the code more robust, I suggest checking out MS KB 269159 for more information on setting ACEs properly.

6.20.4 See Also

MS KB 269159 (HOWTO: Use Visual Basic and ADsSecurity.dll to Properly Order ACEs in an ACL)



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net