Tony, There is no "simple" way to check that. When you check the box it applies a DENY ACE for the user to change their own password.
To search for all users that have that box checked you need to write a short script that searches for all user objects that have that DENY ACE present. Hope that helps! -Joel -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 7:22 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] User cannot change password Hi all I have been trying (in vain) to search the userAccountControl attribute value using a bitwise filter to find users that have the "User cannot change password" flag set. The filter I am using is: (&(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=64)) It doesn't appear to work, although a similar filter for "Password never expires" does, e.g: (&(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=65536)) Looking through MSDN I find the following (seemingly contradictory) information: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi /ads_user_flag_enum.asp "ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password. You can read this flag, but you cannot set it directly. For more information, and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. " This seems to support the idea that it should be possible to search for this setting using the bitwise filter. But the following information suggests that it is not. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/u ser_object_user_interface_mapping.asp This seems to provide the correct information. When I toggle the flag in ADUC there is no corresponding change to the userAccountControl decimal value. Can anyone clarify this for me? Tony List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
