Script to disable user changing password

ColdAsIce · 15 May 2008 at 11:12

Using Windows server 2003, working on an OU. No idea what has happend but kid just came in saying "he changed his password" this shouldn't be possible as when the accounts are setup by the council the "password never expires" and user cannot change password are both ticked.

So anyway went to check our users and it looks like all 1000 students have had the option unticked for "user cannot change password"

Anyway I could probably ask them to setup a script to get this working again but I would rather learn myself.

Someone point me in the direction to add this to the login script?

Kerplunk · 15 May 2008 at 11:18

Why dont you disable User Accounts in Control Panel via Group Policy?

ColdAsIce · 15 May 2008 at 11:24

Kerplunk said:
Why dont you disable User Accounts in Control Panel via Group Policy?

disable them?

I only want so they cannot change their password?

TrX · 15 May 2008 at 11:47

Kerplunk said:
Why dont you disable User Accounts in Control Panel via Group Policy?

Unless the client systems have the active directory snap in's for MMC installed, that would only be for tinkering with local user accounts not the Active directory accounts.

If someone has unticked the 'User cannot change password' lockdown option in AD for those users, then of course they will be allowed to go CTRL+ALT+DEL and click 'change password'

A VB script can easily iterate through an OU and re-enable the option.
Policy probably wouldn't get applied to the clients though until next time they login (You could always try issuing a gpupdate /force to force the group policy update on the client, but it probably still won't kick in till next login)

Google will have plenty of VBscript Active directory scripting examples.
This is probably a sign to get some better auditing on your servers too so you can see why/who/when this option was changed en-masse.

Hope this helps.
//TrX

oddjob62 · 15 May 2008 at 12:18

If they are in a single OU you can just ctrl+a, right click, go to the account tab and tick "user cannot change password"

ColdAsIce · 15 May 2008 at 13:30

oddjob62 said:
If they are in a single OU you can just ctrl+a, right click, go to the account tab and tick "user cannot change password"

Thank you. School boy error

TrX · 15 May 2008 at 13:31

oddjob62 said:
If they are in a single OU you can just ctrl+a, right click, go to the account tab and tick "user cannot change password"

Did not know you could do that!
Scripting is a useful thing to know if you deal with AD a lot though.

oddjob62 · 15 May 2008 at 13:37

TrX said:
Did not know you could do that!
Scripting is a useful thing to know if you deal with AD a lot though.

Oh most definitely, i use scripts as well, but in some cases it's much easier if you can just right click and tick a box