RE: Changing Account Settings en Masse

Wed, 04 Mar 2009 05:01:01 -0800 

When you use the LDAP provider on the user object, only the bitflag gets
changed. When you use the WinNT provider, both get changed (bitflag and
ACL). It's "magic under the hood".

 

From: Anders Blomgren [mailto:[email protected]] 
Sent: Wednesday, March 04, 2009 7:44 AM
To: NT System Admin Issues
Subject: Re: Changing Account Settings en Masse

 

Michael,

 

For some reason your PoS script was cut in half but doesnt ADUC both set
this flag and a deny ace on the user object? I assume you're handling this
in the part that didn't make it through, otherwise a simple adfind | admod
would do nicely.

 

-Anders

 

On 3/4/09, Michael B. Smith <[email protected]> wrote: 

                $ou = "LDAP://cn=Users,dc=essential,dc=local"

 

                ## the domain above must match the script's execution domain

 

                $domain = (gc env:userdomain)

 

                $ADS_UF_PASSWD_CANT_CHANGE = 0x40

 

                $objDomain = New-Object
System.DirectoryServices.DirectoryEntry($ou)

                $objSearcher = New-Object
System.DirectoryServices.DirectorySearcher

                $objSearcher.SearchRoot = $objDomain

                $objSearcher.Filter =
"(&(objectCategory=person)(objectClass=user))"

                $results = $objSearcher.FindAll()

 

                foreach ($result in $results)

                {

                                $sAMAccountName =
$result.Properties.samaccountname.Item(0)

                                $path = "WinNT://" + $domain + "/" +
$sAMAccountName

                                $user = [adsi]$path

 

                                $value = $user.userFlags.Item(0)

 

                                ($user.Name.item(0) + " " +
$value.ToString())

 

                                if (($value -band
$ADS_UF_PASSWD_CANT_CHANGE) -ne 0)

                                {

                                                $value = $value -bxor
$ADS_UF_PASSWD_CANT_CHANGE

                                                $user.userFlags = $value

                                                $user.SetInfo()

                                                ("`t" + $user.name
<http://user.name/>  + " updated to $value")

                                }

                                                

                }

 

 

From: John Hornbuckle [mailto:[email protected]] 
Sent: Tuesday, March 03, 2009 6:43 PM
To: NT System Admin Issues
Subject: Changing Account Settings en Masse

 

We've previously not allowed users to change their own passwords; we've
handled that for them, and in Active Directory have their accounts
configured to prevent them from doing it.

 

We're implementing some new policies now, and in the near future users will
need to be able to change their own passwords.

 

I feel sure there's a way for me to enable this capability without having to
launch ADUC and bring up each user's account individually.

 

Could one of you command line commandos give me a point in the right
direction?

 

 

 

John Hornbuckle

MIS Department

Taylor County School District

www.taylor.k12.fl.us <http://www.taylor.k12.fl.us/> 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/>  ~

Reply via email to