|
While I can set other flags (for example the ADS_UF_DONT_EXPIRE_PASSWD &10000) using the method you specify, I can't set the ADS_UF_PASSWD_CANT_CHANGE.
If I try to set an ADS_UF_PASSWD_CANT_CHANGE(&40), the script will "work" insofar as it won't report any errors; however, checking the user account will show that the flag is not set. Rerunning the script and just displaying the flag will also show that the value is not "saved" after the put.
Since I forgot to post it in the original message, I am using an AD under win2k and kixtart 4.10.
Here's the script I used to test that out on an account with no flags enabled:
$Ouser=GetObject("LDAP://CN=Test, OU=Test, DC=TASD, DC=LOCAL")
if @error<>0 ? @error+" "+@serror endif
If $oUser
; Print Base
$Flags = $oUser.Get("UserAccountControl")
? "Base: "+$Flags
? "ADS_UF_DONT_EXPIRE_PASSWD"
$Flags = $oUser.Get("UserAccountControl")
$Flags = $Flags | &10000
? " Before Put:"+$Flags
$oUser.Put("UserAccountControl",$Flags)
if @error<>0 ? @error+" "+@serror endif
$oUser.SetInfo
if @error<>0 ? @error+" "+@serror endif
;Check the value again
$Flags = $oUser.Get("UserAccountControl")
?" After Put: "+$Flags
?"ADS_UF_PASSWD_CANT_CHANGE"
$Flags = $oUser.Get("UserAccountControl")
$Flags = $Flags | &40
? " Before Put:"+$Flags
$oUser.Put("UserAccountControl",$Flags)
if @error<>0 ? @error+" "+@serror endif
$oUser.SetInfo
if @error<>0 ? @error+" "+@serror endif
;Check the value again
$Flags = $oUser.Get("UserAccountControl")
?" After Put: "+$Flags
Else
? "User not found"
EndIf
$oUser=0
And here's the output:
Base: 544
ADS_UF_DONT_EXPIRE_PASSWD
Before Put:66080
After Put: 66080
ADS_UF_PASSWD_CANT_CHANGE
Before Put:66144
After Put: 66080
This seems to jive with what the Microsoft docs say.
Thanks
-Glen
| 
