Password policy kicks in when attempting a password change operation, but it won't muck with userAccountControl data at all.
There's got to be a script running that naively stuffs one particular value into UAC... disable the builtin Administrator account and see what happens ;) Or better yet, look for account modifications in the event logs. I wrote this thing you might find useful. http://zetetic.net/software-zetetic-events-shell/ --Steve On Fri, Jul 13, 2012 at 1:34 PM, Jonathan Link <[email protected]>wrote: > Fine grained password policy? > msDS-MaximumPasswordAge=never/none > > The cannot change password one has me stumped, though. > > On Fri, Jul 13, 2012 at 1:13 PM, Free, Bob <[email protected]> wrote: > >> There isn’t one, at least not natively. **** >> >> ** ** >> >> I had the same thought as you did, sounds like some kind of wonky >> provisioning system or process gone astray. **** >> >> ** ** >> >> *From:* Steve Kradel [mailto:[email protected]] >> *Sent:* Friday, July 13, 2012 10:03 AM >> >> *To:* NT System Admin Issues >> *Subject:* Re: change AD p/w option**** >> >> ** ** >> >> What GPO would do this? I don't know of any GPOs that would force UAC >> flags like this...**** >> >> ** ** >> >> It sounds like the work of a scheduled script / program to me. There is >> absolutely nothing built into AD that would prevent having both "password >> never expires" and "cannot change password" boxes ticked; in fact, this is >> a very common config for service accounts.**** >> >> ** ** >> >> --Steve**** >> >> On Fri, Jul 13, 2012 at 12:51 PM, Jonathan Link <[email protected]> >> wrote:**** >> >> Sounds like a group policy setting is undoing your changes...**** >> >> ** ** >> >> On Fri, Jul 13, 2012 at 12:40 PM, <[email protected]> wrote:**** >> >> When a user account is set up in AD, they set "Password never expires." >> Now, they want to go back and add "user cannot change password." However, >> when they do make the change, it only holds for a few minutes and then >> reverts back. If I uncheck 'never expires' and just select 'user cannot' >> within a few minutes both boxes are blank. >> I know that these settings are set at user account creation, but I didn't >> think they were set in stone. If not through the AD gui, can they be >> changed with PS?**** >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
