MSPSS: is there life after the helpdesk?

sharing solutions to uncommon IT problems

VBS: Check “User Cannot Change Password” on LDAP for all members of a group

with one comment


Hello,

I had troubles finding a script to check whether the “User Cannot Change Password” flag was selected for a particular user in Active Directory.

All other user options and properties are fairly easy to find but this one isn’t because it isn’t really an option but rather an security right granted to the user (therefore you can’t find this info through adsiedit ldp or any other ldap querying tool.

Hope this helps:

On Error Resume Next

Set objGroup = GetObject(“LDAP://” & Group.distinguishedname)

objGroup.GetInfo

arrMemberOf = objGroup.GetEx(“member”)

For Each strMember in arrMemberOf
Set objUser = GetObject(“LDAP://” & strMember)

Set objNtSecurityDescriptor = objUser.Get(“ntSecurityDescriptor”)
intNtSecurityDescriptorControl = objNtSecurityDescriptor.Control

Set objDiscretionaryAcl = objNtSecurityDescriptor.DiscretionaryAcl
DisplayAceInformation objDiscretionaryAcl, “DACL”, strMember
Next
Sub DisplayAceInformation(SecurityStructure, strType, sMember)
Const ADS_ACETYPE_ACCESS_ALLOWED = &H0
Const ADS_ACETYPE_ACCESS_DENIED = &H1
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
intAceCount = 0
For Each objAce In SecurityStructure
strTrustee = Mid(objAce.Trustee,1,12)
If objAce.Trustee = “NT AUTHORITY\SELF” And objAce.ObjectType = “{AB721A53-1E2F-11D0-9819-00AA0040529B}” Then
intAceCount = intAceCount + 1

intAceType = objAce.AceType
If (intAceType = ADS_ACETYPE_ACCESS_ALLOWED Or _
intAceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT) Then
‘WScript.Echo “Allow Change Password”
ElseIf (intAceType = ADS_ACETYPE_ACCESS_DENIED Or _
intAceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) Then
WScript.Echo sMember & ” Deny Change Password”
Else
WScript.Echo “Acess Type Unknown.”
End If
End If
Next
End Sub

Advertisements

Written by zantoro

January 10, 2012 at 10:52 am

Posted in Scripting

One Response

Subscribe to comments with RSS.

  1. I had the same need in the past, but I had to do it with Powershell. I used a script I found here: http://blogs.microsoft.co.il/blogs/scriptfanatic/archive/2009/07/06/get-all-users-that-cannot-change-their-password.aspx

    Having a VBS could come handy anyway, for system without Powershell.

    Diego Zanella

    January 12, 2012 at 3:05 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: