PoshCode Archive  Artifact Content

Artifact 3273ba2da39799e1a1739d6c2b56a211274764f4243982f6535e06235ecf15f6:

  • File Set-UserCannotChangePass.ps1 — part of check-in [141be63488] at 2018-06-10 13:19:29 on branch trunk — Set the “user Cannot Change Password” property on an active directory user object (user: Erik McCarty size: 3044)

# encoding: ascii
# api: powershell
# title: Set-UserCannotChangePass
# description: Set the “user Cannot Change Password” property on an active directory user object
# version: 0.1
# type: script
# author: Erik McCarty
# license: CC0
# function: set-UserCannotChangePassword
# x-poshcode-id: 3049
# x-archived: 2011-11-16T01:36:56
# x-published: 2011-11-14T07:08:00
#
#
#########1#########2#########3#########4#########5#########6#########7#########8#########9#########1
#########0#########0#########0#########0#########0#########0#########0#########0#########0#########0
#
# Author: Erik McCarty
#
# Description: Set the "user Cannot Change Password" property on an active
# directory user object
#
# Remarks: There is poor documentation on the internet that would lead you
# to believe the $user.userAccountControl property value bit 0x000040 can
# be set to turn on the "user Cannot Change Password" account property.
# However you cannot assign this permission by directly modifying the
# userAccountControl attribute.
#
# History:
# 20080107 EWM Initial Creation
#
# reference:
#       http://msdn2.microsoft.com/en-us/library/aa746398.aspx
#       http://mow001.blogspot.com/2006/08/powershell-and-active-directory-part-8.html 
#       http://ewmccarty.spaces.live.com/blog/cns!CE2AE9EFF99E6598!132.entry
# Example:
#
#  Set-UserCannotChangePassword "BMcClellan"
#
#########1#########2#########3#########4#########5#########6#########7#########8#########9#########1
#########0#########0#########0#########0#########0#########0#########0#########0#########0#########0
#
function set-UserCannotChangePassword( [string] $sAMAccountName ){
   # set variables
   $everyOne = [System.Security.Principal.SecurityIdentifier]'S-1-1-0'
   $self = [System.Security.Principal.SecurityIdentifier]'S-1-5-10'
   $SelfDeny = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
                              $self,'ExtendedRight','Deny','ab721a53-1e2f-11d0-9819-00aa0040529b')
   $SelfAllow = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
                              $self,'ExtendedRight','Allow','ab721a53-1e2f-11d0-9819-00aa0040529b')
   $EveryoneDeny = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
                           $Everyone,'ExtendedRight','Deny','ab721a53-1e2f-11d0-9819-00aa0040529b')
   $EveryOneAllow = new-object System.DirectoryServices.ActiveDirectoryAccessRule (
                           $Everyone,'ExtendedRight','Allow','ab721a53-1e2f-11d0-9819-00aa0040529b')

   # find the user object in the default domain
   $searcher = New-Object DirectoryServices.DirectorySearcher
   $searcher.filter = "(&(samaccountname=$sAMAccountName))"
   $results = $searcher.findone()
   $user = $results.getdirectoryentry()

   # set "user cannot change password"
   $user.psbase.get_ObjectSecurity().AddAccessRule($selfDeny)
   $user.psbase.get_ObjectSecurity().AddAccessRule($EveryoneDeny)
   $user.psbase.CommitChanges()
}