Re: "User cannot change pwd" and "Pwd never expire" by using Directory

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 12/03/04

Next message: LS: "RE: AzMan IAzApplication InitializeClientContextFromStringSid method"
Previous message: LS: "AzMan IAzApplication InitializeClientContextFromStringSid method"
In reply to: Thauhtopa: ""User cannot change pwd" and "Pwd never expire" by using Directory"
Next in thread: Thauhtopa: "Re: "User cannot change pwd" and "Pwd never expire" by using Direc"
Reply: Thauhtopa: "Re: "User cannot change pwd" and "Pwd never expire" by using Direc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 3 Dec 2004 08:34:47 -0600

You don't set that option in LDAP with that flag. Both the lockout flag and
the user can't change password flag don't work for Active Directory.

To set "user can't change password", you need to modify the DACL for the
user's object. I don't know of a specific .NET sample, but there is a
script sample that you can adopt on the KB.

Joe K.

"Thauhtopa" <Thauhtopa@discussions.microsoft.com> wrote in message
news:85DDC95B-DA31-433C-8184-E149AC199C40@microsoft.com...
>I create a account by using the DirectorySerive and it is running:
> ---------------------------------------------------------
> Dim ContainerEntry As DirectoryEntry
> Dim UserEntry As DirectoryEntry
> Dim ChildCollection As DirectoryEntries
> ContainerEntry = New DirectoryEntry(LDAPPath)
> ChildCollection = ContainerEntry.Children
> UserEntry = ChildCollection.Add("CN=" & strFirstName + " " + strLastName,
> "user")
> UserEntry.Properties("samAccountName").Add(TextBoxNewAccountPre.Text)
> UserEntry.CommitChanges()
> ----------------------------------------------------
>
> In the next step you see the adding of some information, it is running:
> ----------------------------------------------------
> UserEntry.Properties("samAccountName").Add(TextBoxNewAccountPre.Text)
>
> UserEntry.Properties("userPrincipalName").Add(TextBoxNewAccount.Text
> & ComboSuffix.Text)
> UserEntry.NativeObject.LastName = TextBoxLastName.Text
> UserEntry.NativeObject.DisplayName = TextBoxFirstName.Text + " " +
> TextBoxLastName.Text
> UserEntry.NativeObject.Description = TextBoxDescription.Text
> UserEntry.NativeObject.physicaldeliveryofficename = "Acct creator:
> "
> + GetCurrentUserName()
> UserEntry.NativeObject.EmployeeID = TextBoxEmployeeID.Text
> ----------------------------------------------------
>
> In the next Step you see to set some constants and a call of a Sub
> (The Values for the Constans you can find, here
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_useraccountcontrol.asp):
> ----------------------------------------------------
> Const ADS_UF_DONT_EXPIRE_PASSWD As Integer = &H10000
> Const ADS_UF_PASSWD_CANT_CHANGE As Integer = &H40
> SetAccountOptions(UserEntry, ADS_UF_PASSWD_CANT_CHANGE)
> SetAccountOptions(UserEntry, ADS_UF_DONT_EXPIRE_PASSWD)
> -----------------------------------------------------
>
> Now the last Steps, it is the sub to set the userAccountControl-value:
> -----------------------------------------------------
> Shared Sub SetAccountOptions(ByVal User As DirectoryEntry, ByRef
> AccountOptions As Integer)
> Dim val As Integer
> val = Fix(User.Properties("userAccountControl").Value)
> User.Properties("userAccountControl").Value = val Or AccountOptions
> val = Fix(User.Properties("userAccountControl").Value)
> User.CommitChanges()
> End Sub 'SetAccountOptions
> -----------------------------------------------------
>
> The Result is:
> The call SetAccountOptions(UserEntry, ADS_UF_DONT_EXPIRE_PASSWD) is
> running
> perfect.
>
> the call
> SetAccountOptions(UserEntry, ADS_UF_PASSWD_CANT_CHANGE) is running but
> NOTING HAPPENS
>
> Now my question:
> I need a solution to set the property "User Cannot Change Password" over
> the
> DirectoryServices.
>
> Help, please
> Thauhtopa

Next message: LS: "RE: AzMan IAzApplication InitializeClientContextFromStringSid method"
Previous message: LS: "AzMan IAzApplication InitializeClientContextFromStringSid method"
In reply to: Thauhtopa: ""User cannot change pwd" and "Pwd never expire" by using Directory"
Next in thread: Thauhtopa: "Re: "User cannot change pwd" and "Pwd never expire" by using Direc"
Reply: Thauhtopa: "Re: "User cannot change pwd" and "Pwd never expire" by using Direc"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

"User cannot change pwd" and "Pwd never expire" by using Directory
... Dim ContainerEntry As DirectoryEntry ... In the next Step you see to set some constants and a call of a Sub ... Shared Sub SetAccountOptions(ByVal User As DirectoryEntry, ... User.Properties.Value = val Or AccountOptions ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Active Directory
... Imports System ... Sub Main ... Using oDirectoryEntry As DirectoryEntry = New ...
(microsoft.public.dotnet.languages.vb)
Konto im AD anlegen. PasswordNeverExpire,UserCannotChangePassword
... Dim UserEntry As DirectoryEntry ... Ich setzte erfolgreich PasswordNeverExpire mittels: ... Shared Sub SetAccountOptions(ByVal User As DirectoryEntry, ...
(microsoft.public.de.german.entwickler.dotnet.vb)
SetPassword and ChangePassword Invoke
... Trying to set or change a password while the "User must change password at ... yields an error foo the same name. ... This is a pure MS AD 2003 environement. ... DirectoryEntry DE = new DirectoryEntry ...
(microsoft.public.windows.server.active_directory)