{"id":70893,"date":"2004-12-02T14:54:00","date_gmt":"2004-12-02T14:54:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2004\/12\/02\/how-can-i-prevent-a-local-user-from-changing-his-or-her-password\/"},"modified":"2004-12-02T14:54:00","modified_gmt":"2004-12-02T14:54:00","slug":"how-can-i-prevent-a-local-user-from-changing-his-or-her-password","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/how-can-i-prevent-a-local-user-from-changing-his-or-her-password\/","title":{"rendered":"How Can I Prevent a Local User From Changing His or Her Password?"},"content":{"rendered":"

\"Hey, \n

Hey, Scripting Guy! How can I configure a local user account so that the user can\u2019t change his or her password?

— DC<\/P>\"Spacer\"\"Hey,\"Script<\/A> \n

Hey, DC. The secret here lies in the mysterious userFlags attribute. We\u2019ll show you how to set a user account so that the user can\u2019t change his or her password, then we\u2019ll fill you in on some of the other local user account properties that can be managed with the userFlags attribute. And by then it will hopefully be time for lunch!<\/P>\n

First the script that prevents a user from changing his or her password:<\/P>

Const ADS_UF_PASSWD_CANT_CHANGE = &H0040<\/p>\n
Set objUser = GetObject(“WinNT:\/\/atl-ws-01\/kenmyer”)<\/p>\n
If Not objUser.UserFlags AND ADS_UF_PASSWD_CANT_CHANGE Then\n    objPasswordNoChangeFlag = objUser.UserFlags XOR ADS_UF_PASSWD_CANT_CHANGE\n    objUser.Put “userFlags”, objPasswordNoChangeFlag \n    objUser.SetInfo\nEnd If\n<\/PRE>\n
We start out by defining a constant (with the catchy name ADS_UF_PASSWD_CANT_CHANGE) that we\u2019ll need to identify the proper \u201cswitch\u201d inside the userFlags attribute. The userFlags attribute is an example of a bitmask attribute, a single attribute that contains multiple properties and property values. For now, just consider a bitmask as being a bank of switches, with each switch representing a different property. If the switch for User Can\u2019t Change Password<\/B> is on, then the user can\u2019t change his or her password; if the switch is off, then the user can<\/I> change their password. That part is fairly intuitive; the only hard part of dealing with a bitmask is that the \u201cswitches\u201d don\u2019t have names like User Can\u2019t Change Password. Instead, they have hexadecimal values, like &H0040. To carry out our task, we need to flip the &H0040<\/B> switch. That\u2019s why we define this constant.<\/P>\n
Next we connect to the kenmyer account on the computer atl-ws-01. At that point, we check to see if the switch in question is already on. When working with bitmasks, you\u2019ll often see code like this:<\/P>
If objUser.UserFlags AND ADS_UF_PASSWD_CANT_CHANGE Then\n<\/PRE>\n
In plain English, this can be read as \u201cIf the userFlags attribute is present and if the ADS_UF_PASSWD_CANT_CHANGE switch is on, then this statement is true and we should do something.\u201d In our case, we\u2019re not interested in switches that are on; if the can\u2019t change password flag is already set, then our work is done. We\u2019re only interested in switches that are off. Hence we use this line of code, which takes action only if the switch is not<\/I> on:<\/P>
If Not objUser.UserFlags AND ADS_UF_PASSWD_CANT_CHANGE Then\n<\/PRE>\n
Now we\u2019re really<\/I> going to confuse you. Take a look at this line of code:<\/P>\n
objPasswordNoChangeFlag = objUser.UserFlags XOR ADS_UF_PASSWD_CANT_CHANGE<\/P>\n
Actually – all appearances aside – this is really pretty simple code. All we\u2019re doing here is toggling the value of the user can\u2019t change password switch. That\u2019s what the XOR command does. If the switch is on, XOR turns if off; if the switch is off, XOR turns it on. We\u2019re taking the current value of the userFlags attribute and toggling the user can\u2019t change password switch. Because we know this switch is off (remember the If Not<\/B> statement we just used?), the XOR command will turn that switch on. Our variable objPasswordNoChangeFlag will then contain exactly the same values that are in the current userFlags attribute, with one exception: the user can\u2019t change password switch will now be on instead of off.<\/P>\n
Still with us? The rest of the script is easy. This line of code write the value of the variable objPasswordNoChangeFlag to the userFlags attribute:<\/P>
objUser.Put “userFlags”, objPasswordNoChangeFlag\n<\/PRE>\n
We then use the SetInfo command to write those changes to the user account. Just like that, local user Ken Myer will no longer have the right to change his password on the computer atl-ws-01.<\/P>\n
And what if wanted to let<\/I> Ken Myer change his password? Hey, that\u2019s easy. All we have to do is check to see if the user can\u2019t change password switch is on<\/I>, and then use XOR to turn it off:<\/P>
Const ADS_UF_PASSWD_CANT_CHANGE = &H0040<\/p>\n
Set objUser = GetObject(“WinNT:\/\/atl-ws-01\/kenmyer”)<\/p>\n
If objUser.UserFlags AND ADS_UF_PASSWD_CANT_CHANGE Then\n    objPasswordNoChangeFlag = objUser.UserFlags XOR ADS_UF_PASSWD_CANT_CHANGE\n    objUser.Put “userFlags”, objPasswordNoChangeFlag \n    objUser.SetInfo\nEnd If\n<\/PRE>\n
The only difference is that we removed the word Not<\/I> from our If-Then statement. That\u2019s because now we want<\/I> to find instances where the switch is on, the better to turn it off.<\/P>\n
We agree: these bitmask attributes are<\/I> confusing. If you\u2019d like a little more information (and a picture or two), you might check out this portion<\/B><\/A> of the Microsoft Windows 2000 Scripting Guide. And, as promised, here are some other local user account properties that can be managed using the userFlags attribute:<\/P>\n\n<\/THEAD>\n\n\n\n\n\n\n\n\n\n\n\n\n
\n
Property<\/B><\/P><\/TD>\n
\n
Constant<\/B><\/P><\/TD>\n
\n
Value<\/B><\/P><\/TD><\/TR>\n
\n
Logon script will be executed<\/P><\/TD>\n
\n
ADS_UF_SCRIPT<\/P><\/TD>\n
\n
&H0001<\/P><\/TD><\/TR>\n
\n
Account is disabled<\/P><\/TD>\n
\n
ADS_UF_ACCOUNTDISABLE<\/P><\/TD>\n
\n
&H0002<\/P><\/TD><\/TR>\n
\n
Account requires a home directory<\/P><\/TD>\n
\n
ADS_UF_HOMEDIR_REQUIRED<\/P><\/TD>\n
\n
&H0008<\/P><\/TD><\/TR>\n
\n
Account is locked out<\/P><\/TD>\n
\n
ADS_UF_LOCKOUT<\/P><\/TD>\n
\n
&H0010<\/P><\/TD><\/TR>\n
\n
Account does not require a password<\/P><\/TD>\n
\n
ADS_UF_PASSWD_NOTREQD<\/P><\/TD>\n
\n
&H0020<\/P><\/TD><\/TR>\n
\n
User cannot change password<\/P><\/TD>\n
\n
ADS_UF_PASSWD_CANT_CHANGE<\/P><\/TD>\n
\n
&H0040<\/P><\/TD><\/TR>\n
\n
Encrypted text password allowed<\/P><\/TD>\n
\n
ADS_UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED<\/P><\/TD>\n
\n
&H0080<\/P><\/TD><\/TR>\n
\n
Account password never expires<\/P><\/TD>\n
\n
ADS_UF_DONT_EXPIRE_PASSWD<\/P><\/TD>\n
\n
&H10000<\/P><\/TD><\/TR>\n
\n
Smartcard required for logon<\/P><\/TD>\n
\n
ADS_UF_SMARTCARD_REQUIRED<\/P><\/TD>\n
\n
&H40000<\/P><\/TD><\/TR>\n
\n
Password has expired<\/P><\/TD>\n
\n
ADS_UF_PASSWORD_EXPIRED<\/P><\/TD>\n
\n
&H800000<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n
<\/DIV>\n
If you get bored sometime, substitute these values into the user can\u2019t change password script and see what happens. (Of course, as always, we recommend you use a test machine – or at least a test account – when experimenting with scripts like this.)<\/P><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! How can I configure a local user account so that the user can\u2019t change his or her password?— DC Hey, DC. The secret here lies in the mysterious userFlags attribute. We\u2019ll show you how to set a user account so that the user can\u2019t change his or her password, then we\u2019ll fill […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[23,24,3,5],"class_list":["post-70893","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-local-accounts-and-windows-nt-4-0-accounts","tag-other-directory-services","tag-scripting-guy","tag-vbscript"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! How can I configure a local user account so that the user can\u2019t change his or her password?— DC Hey, DC. The secret here lies in the mysterious userFlags attribute. We\u2019ll show you how to set a user account so that the user can\u2019t change his or her password, then we\u2019ll fill […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70893","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=70893"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/70893\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=70893"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=70893"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=70893"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}