I "translated" the script from

' http://www.activexperts.com/activmonitor...rifyWhether.htm
' Verify Whether Users Can Change Their Passwords
' Identifies whether Or Not a user Is allowed To change his Or her password.

to:
Code:
  
$ADS_ACETYPE_ACCESS_DENIED_OBJECT = &6
$CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

$ADSPath="LDAP://cn=" + $UserName + "," + $UsrContainer + "," + GetObject("LDAP://rootDSE").Get("defaultNamingContext")
$RC=PwdChange_Ability_Verify($NutzerName, $ADSPath)

Function PwdChange_Ability_Verify($UsrNme, $AdsPath)
; Function PwdChange_Ability_Verify($UsrNme, $AdsPath)
; Input : $UsrNme = Username of the User to be checked
; $AdsPath = user name in user container in ADS in LDAP notification
; Values : 0 = user can change his or her password
; 1 = user cannot change his or her password
; -1 = user not found in ADS

$objUser = GetObject($ADSPath)

If $objUser.SamAccountName=$UsrNme
; ?"User '" $objUser.SamAccountName "' ('" $objUser.FullName "', '" $objUser.cn" ') exists!"
Else ?"User '$UsrNme' not found!"
$PwdChange_Ability_Verify=-1
Return
EndIf

$objSD = $objUser.Get("nTSecurityDescriptor")
$objDACL = $objSD.DiscretionaryAcl

For Each $ace in $objDACL
If ($Ace.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) And
(Lcase($Ace.ObjectType) = $CHANGE_PASSWORD_GUID)
$blnEnabled = 1
EndIf
Next

If $blnEnabled
$PwdChange_Ability_Verify=0
Else
$PwdChange_Ability_Verify=1
EndIf

$objUser = ""
Return
EndFunction



which works fine. But I am not able to write a script
"Modifying User Cannot Change Password" which disables
a user account so that he cannot change his password.

Examples could be:
http://msdn.microsoft.com/library/defaul...nt_provider.asp

or
http://msdn.microsoft.com/library/defaul...ap_provider.asp


Can somebody help?

Thank you in advance!

Karl