Re: Changing Account Settings en Masse

Wed, 04 Mar 2009 04:44:28 -0800 

Michael,

For some reason your PoS script was cut in half but doesnt ADUC both set
this flag and a deny ace on the user object? I assume you're handling this
in the part that didn't make it through, otherwise a simple adfind | admod
would do nicely.

-Anders


On 3/4/09, Michael B. Smith <[email protected]> wrote:
>
>                  $ou = "LDAP://cn=Users,dc=essential,dc=local"
>
>
>
>                 ## the domain above must match the script's execution
> domain
>
>
>
>                 $domain = (gc env:userdomain)
>
>
>
>                 $ADS_UF_PASSWD_CANT_CHANGE = 0x40
>
>
>
>                 $objDomain = New-Object
> System.DirectoryServices.DirectoryEntry($ou)
>
>                 $objSearcher = New-Object
> System.DirectoryServices.DirectorySearcher
>
>                 $objSearcher.SearchRoot = $objDomain
>
>                 $objSearcher.Filter =
> "(&(objectCategory=person)(objectClass=user))"
>
>                 $results = $objSearcher.FindAll()
>
>
>
>                 foreach ($result in $results)
>
>                 {
>
>                                 $sAMAccountName =
> $result.Properties.samaccountname.Item(0)
>
>                                 $path = "WinNT://" + $domain + "/" +
> $sAMAccountName
>
>                                 $user = [adsi]$path
>
>
>
>                                 $value = $user.userFlags.Item(0)
>
>
>
>                                 ($user.Name.item(0) + " " +
> $value.ToString())
>
>
>
>                                 if (($value -band
> $ADS_UF_PASSWD_CANT_CHANGE) -ne 0)
>
>                                 {
>
>                                                 $value = $value -bxor
> $ADS_UF_PASSWD_CANT_CHANGE
>
>                                                 $user.userFlags = $value
>
>                                                 $user.SetInfo()
>
>                                                 ("`t" + $user.name + "
> updated to $value")
>
>                                 }
>
>
>
>                 }
>
>
>
>
>
> *From:* John Hornbuckle [mailto:[email protected]]
> *Sent:* Tuesday, March 03, 2009 6:43 PM
> *To:* NT System Admin Issues
> *Subject:* Changing Account Settings en Masse
>
>
>
> We’ve previously not allowed users to change their own passwords; we’ve
> handled that for them, and in Active Directory have their accounts
> configured to prevent them from doing it.
>
>
>
> We’re implementing some new policies now, and in the near future users will
> need to be able to change their own passwords.
>
>
>
> I feel sure there’s a way for me to enable this capability without having
> to launch ADUC and bring up each user’s account individually.
>
>
>
> Could one of you command line commandos give me a point in the right
> direction?
>
>
>
>
>
>
>
> John Hornbuckle
>
> MIS Department
>
> Taylor County School District
>
> www.taylor.k12.fl.us
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to