I "translated" the script from
' http://www.activexperts.com/activmonitor...rifyWhether.htm
' Verify Whether Users Can Change Their Passwords
' Identifies whether Or Not a user Is allowed To change his Or her password.
to:
Code:
$ADS_ACETYPE_ACCESS_DENIED_OBJECT = &6
$CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
$ADSPath="LDAP://cn=" + $UserName + "," + $UsrContainer + "," + GetObject("LDAP://rootDSE").Get("defaultNamingContext")
$RC=PwdChange_Ability_Verify($NutzerName, $ADSPath)
Function PwdChange_Ability_Verify($UsrNme, $AdsPath)
; Function PwdChange_Ability_Verify($UsrNme, $AdsPath)
; Input : $UsrNme = Username of the User to be checked
; $AdsPath = user name in user container in ADS in LDAP notification
; Values : 0 = user can change his or her password
; 1 = user cannot change his or her password
; -1 = user not found in ADS
$objUser = GetObject($ADSPath)
If $objUser.SamAccountName=$UsrNme
; ?"User '" $objUser.SamAccountName "' ('" $objUser.FullName "', '" $objUser.cn" ') exists!"
Else ?"User '$UsrNme' not found!"
$PwdChange_Ability_Verify=-1
Return
EndIf
$objSD = $objUser.Get("nTSecurityDescriptor")
$objDACL = $objSD.DiscretionaryAcl
For Each $ace in $objDACL
If ($Ace.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) And
(Lcase($Ace.ObjectType) = $CHANGE_PASSWORD_GUID)
$blnEnabled = 1
EndIf
Next
If $blnEnabled
$PwdChange_Ability_Verify=0
Else
$PwdChange_Ability_Verify=1
EndIf
$objUser = ""
Return
EndFunction
which works fine. But I am not able to write a script
"Modifying User Cannot Change Password" which disables
a user account so that he cannot change his password.
Examples could be:
http://msdn.microsoft.com/library/defaul...nt_provider.asp
or
http://msdn.microsoft.com/library/defaul...ap_provider.asp
Can somebody help?
Thank you in advance!
Karl