Microsoft KB Archive/301287

= How to set the &quot;User Cannot Change Password&quot; option by using a program =

Article ID: 301287

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q301287



SUMMARY
This article describes how to set the User Cannot Change Password option by using a program.



MORE INFORMATION
In Windows 2000, an administrator can set the User Cannot Change Password option. This option can set the access control list (ACL) on the objects of the users so that the users cannot change their passwords when this option is selected. In some situations, you may want to use this option in a batch process by using a program.

Create a file with a .vbs extension, and then copy the following text (code) into that file. Then, change the distinguished name (DN) of the user to the path that you want.

WARNING: The sample code that is included in this Knowledge Base article does not reorder the Access Control Entries (ACEs). The programmer must set the correct order of ACEs in a security descriptor. Correct order, known as &quot;cannonicalization of the ACL,&quot; requires (among other things) that all &quot;deny&quot; ACEs are listed before all &quot;allow&quot; ACEs in the ACL. For more information about the correct ordering of the ACEs, click the following article number to view the article in the Microsoft Knowledge Base:

269159 How to use Visual Basic and ADsSecurity.dll to properly order ACEs in an ACL

For more information about how to use Microsoft Active Directory Services Interface to properly order ACLs, click the following article number to view the article in the Microsoft Knowledge Base:

279682 How to use ADsSecurity.dll to add an access control entry to an NTFS folder

Const CHANGE_PASSWORD_GUID = &quot;{ab721a53-1e2f-11d0-9819-00aa0040529b}&quot; Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100 Const ADS_ACETYPE_ACCESS_DENIED = &H1 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5 Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6 Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1 Dim oACESelfSelf, oACEEveryone Dim oSecDescriptor Dim oDACL Dim oUSer Set oACESelf = CreateObject(&quot;AccessControlEntry&quot;) Set oACEEveryone = CreateObject(&quot;AccessControlEntry&quot;) '-- Create the Access Control Entry for Self--- oACESelf.Trustee = &quot;NT AUTHORITY\SELF&quot; oACESelf.AceFlags = 0 oACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT oACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT oACESelf.ObjectType = CHANGE_PASSWORD_GUID oACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS ' --- Create the Access Control Entry for Everyone--- oACEEveryone.Trustee = &quot;EVERYONE&quot; oACEEveryone.AceFlags = 0 oACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT oACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT oACEEveryone.ObjectType = CHANGE_PASSWORD_GUID oACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

'---Get the user Object Set oUSer = GetObject(&quot;LDAP://cn=todd,ou=na,dc=microsoft,dc=com&quot;)

'--- Get this objects Security Descriptor Set oSecDescriptor = oUSer.Get(&quot;ntSecurityDescriptor&quot;) '--- Get the Discretionary ACL --- Set oDACL = oSecDescriptor.DiscretionaryAcl '-- Add our new ACEs and replace DACL--- oDACL.AddAce oACESelf oDACL.AddAce oACEEveryone ' -- Put the Security Descriptor back on the object -- oUSer.Put &quot;ntSecurityDescriptor&quot;, oSecDescriptor oUSer.SetInfo ' -- Clean up -- Set oUser = Nothing Set oACESelf = Nothing Set oACEEveryone = Nothing Set oDACL = Nothing Set oSecDescriptor = Nothing

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.

Keywords: kbhowto kbenv KB301287

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.