Turn off "User Cannot Change Password" & "Password Never Expires" Flags ?

Turn off "User Cannot Change Password" & "Password Never Expires" Flags ?

Post by benq » Fri, 19 Sep 2003 06:27:23


I've seen numerous questions asking how to enable the
User Cannot Change Password and Password Never Expires" Flags, which
this script does. My problem is just the opposite. Currently these two
flags are enabled on a bunch of accounts. The "user cannot change
their password" box is checked and the "password never expires" box is
checked. I need to pull in a text file of user names, turn off these
two attribute flags and set a new password. Any help would be
appreciated. Thanks.
Ben

'************************************************
' File: ToggleUserFlag.vbs (WSH sample in VBScript)
' Author: (c) Gter Born
'
' Uses ADSI to set a userflag bit in a user account.
' Obtained from "Advanced Development with Microsoft
' Windows Scripting Host 2.0", Microsoft Press.
'************************************************
Option Explicit

Const UF_PASSWORD_CANT_CHANGE = &H40
Const UF_DONT_EXPIRE_PASSWD = &H10000

DIM oUser
DIM name, tmp
DIM domain

domain = "//DOMAIN1"
name = "MM"

Set oUser = GetObject("WinNT:" & domain & "/" & name)

oUser.GetInfo 'read the properties
' toggle "User cannot change password" and "Password never expires"
tmp = oUser.Get("UserFlags") ' read flags
tmp = tmp XOR UF_PASSWORD_CANT_CHANGE
tmp = tmp XOR UF_DONT_EXPIRE_PASSWD

oUser.Put "UserFlags", tmp
oUser.SetInfo
WScript.Echo "Account " & name & " updated"

Set oUser = Nothing
WScript.Quit
' End
 
 
 

Turn off "User Cannot Change Password" & "Password Never Expires" Flags ?

Post by Richard Mu » Sat, 20 Sep 2003 07:14:32

i,

First, modifying the userFlags attribute exposed by the WinNT provider works
to change the settings you want. However, the same method fails if you
modify the userAccountControl attribute exposed by the LDAP provider.

A program that can be used to produce a text file with the NT logon names
for all users in the domain is at this link:

http://www.rlmueller.net/Create%20User%20List%201.htm

Then, the VBScript program below will read the names from the text file,
bind to each user, retrieve userFlags, test the flags, and toggle the
appropriate bits if necessary. Any user found with "Password cannot change"
set has this bit turned off, and any user found with "password never
expires" has that bit turned off. The name and path of the text file of user
names is hard coded in the program. The NetBIOS domain name is also hard
coded. You will have to modify both.

Option Explicit

Const UF_PASSWD_CANT_CHANGE = &H40
Const UF_DONT_EXPIRE_PASSWD = &H10000

Dim lngFlags, objUser, objFSO, strFilePath, strNetBIOSDomain, objFile
Dim strNTName, blnModified

' Specify the text file of user names and the NetBIOS domain.
strFilePath = "c:\MyFolder\UserList1.txt"
strNetBIOSDomain = "MyDomain"

' Open the file for read access.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.OpenTextFile(strFilePath, 1)

' Read each line of the file, bind to the user object, and
' modify the userFlags attribute if needed.
Do Until objFile.AtEndOfStream
strNTName = Trim(objFile.ReadLine)
If strNTName <> "" Then
On Error Resume Next
Err.Clear
Set objUser = GetObject("WinNT://" & strNetBIOSDomain & "/" _
& strNTName & ",user")
If Err.Number <> 0 Then
Err.Clear
On Error GoTo 0
Wscript.Echo "User " & strNTName & " NOT found"
Else
On Error GoTo 0
lngFlags = objUser.Get("userFlags")
blnModified = False
If (lngFlags And UF_PASSWD_CANT_CHANGE) <> 0 Then
' User cannot change password.
lngFlags = lngFlags Xor UF_PASSWD_CANT_CHANGE
blnModified = True
End If
If (lngFlags And UF_DONT_EXPIRE_PASSWD) <> 0 Then
' Password does not expire.
lngFlags = lngFlags Xor UF_DONT_EXPIRE_PASSWD
blnModified = True
End If
If blnModified = True Then
On Error Resume Next
Err.Clear
objUser.SetInfo
If Err.Number <> 0 Then
Err.Clear
On Error GoTo 0
Wscript.Echo "Unable to set userFlags for user " & strNTName
End If
On Error GoTo 0
End If
End If
End If
Loop

' Clean up.
objFile.Close
Set objFile = Nothing
Set objFSO = Nothing
Set objUser = Nothing

Wscript.Echo "Done"

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
< XXXX@XXXXX.COM > wrote in message
news: XXXX@XXXXX.COM ...



 
 
 

Turn off "User Cannot Change Password" & "Password Never Expires" Flags ?

Post by bquartey » Sun, 21 Sep 2003 01:44:40

Rich,
I ran your script reading a text files of a few records. The "User Cannot Password" & "Password Never Expires" were enabled. It said done. When I verified the account properties no change occured. 2nd question, what are the bit values to turn these attributes off? Your help is greatly appreciated.

Ben

**********************************************************************
Sent via Fuzzy Software @ http://www.yqcomputer.com/
Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources...