$ou = "LDAP://cn=Users,dc=essential,dc=local"
## the domain above must match the script's execution domain
$domain = (gc env:userdomain)
$ADS_UF_PASSWD_CANT_CHANGE = 0x40
$objDomain = New-Object
System.DirectoryServices.DirectoryEntry($ou)
$objSearcher = New-Object
System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter =
"(&(objectCategory=person)(objectClass=user))"
$results = $objSearcher.FindAll()
foreach ($result in $results)
{
$sAMAccountName =
$result.Properties.samaccountname.Item(0)
$path = "WinNT://" + $domain + "/" +
$sAMAccountName
$user = [adsi]$path
$value = $user.userFlags.Item(0)
($user.Name.item(0) + " " +
$value.ToString())
if (($value -band
$ADS_UF_PASSWD_CANT_CHANGE) -ne 0)
{
$value = $value -bxor
$ADS_UF_PASSWD_CANT_CHANGE
$user.userFlags = $value
$user.SetInfo()
("`t" + $user.name + "
updated to $value")
}
}
From: John Hornbuckle [mailto:[email protected]]
Sent: Tuesday, March 03, 2009 6:43 PM
To: NT System Admin Issues
Subject: Changing Account Settings en Masse
We've previously not allowed users to change their own passwords; we've
handled that for them, and in Active Directory have their accounts
configured to prevent them from doing it.
We're implementing some new policies now, and in the near future users will
need to be able to change their own passwords.
I feel sure there's a way for me to enable this capability without having to
launch ADUC and bring up each user's account individually.
Could one of you command line commandos give me a point in the right
direction?
John Hornbuckle
MIS Department
Taylor County School District
www.taylor.k12.fl.us
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
