Thanks, good to know. Looking closer, the use of the WinNT provider does seem a bit redundant if you don't know about what goes on under the hood. :)
-Anders On 3/4/09, Michael B. Smith <[email protected]> wrote: > > When you use the LDAP provider on the user object, only the bitflag gets > changed. When you use the WinNT provider, both get changed (bitflag and > ACL). It’s “magic under the hood”. > > > > *From:* Anders Blomgren [mailto:[email protected]] > *Sent:* Wednesday, March 04, 2009 7:44 AM > *To:* NT System Admin Issues > *Subject:* Re: Changing Account Settings en Masse > > > > Michael, > > > > For some reason your PoS script was cut in half but doesnt ADUC both set > this flag and a deny ace on the user object? I assume you're handling this > in the part that didn't make it through, otherwise a simple adfind | admod > would do nicely. > > > > -Anders > > > > On 3/4/09, *Michael B. Smith* <[email protected]> wrote: > > $ou = "LDAP://cn=Users,dc=essential,dc=local" > > > > ## the domain above must match the script's execution > domain > > > > $domain = (gc env:userdomain) > > > > $ADS_UF_PASSWD_CANT_CHANGE = 0x40 > > > > $objDomain = New-Object > System.DirectoryServices.DirectoryEntry($ou) > > $objSearcher = New-Object > System.DirectoryServices.DirectorySearcher > > $objSearcher.SearchRoot = $objDomain > > $objSearcher.Filter = > "(&(objectCategory=person)(objectClass=user))" > > $results = $objSearcher.FindAll() > > > > foreach ($result in $results) > > { > > $sAMAccountName = > $result.Properties.samaccountname.Item(0) > > $path = "WinNT://" + $domain + "/" + > $sAMAccountName > > $user = [adsi]$path > > > > $value = $user.userFlags.Item(0) > > > > ($user.Name.item(0) + " " + > $value.ToString()) > > > > if (($value -band > $ADS_UF_PASSWD_CANT_CHANGE) -ne 0) > > { > > $value = $value -bxor > $ADS_UF_PASSWD_CANT_CHANGE > > $user.userFlags = $value > > $user.SetInfo() > > ("`t" + $user.name + " > updated to $value") > > } > > > > } > > > > > > *From:* John Hornbuckle [mailto:[email protected]] > *Sent:* Tuesday, March 03, 2009 6:43 PM > *To:* NT System Admin Issues > *Subject:* Changing Account Settings en Masse > > > > We’ve previously not allowed users to change their own passwords; we’ve > handled that for them, and in Active Directory have their accounts > configured to prevent them from doing it. > > > > We’re implementing some new policies now, and in the near future users will > need to be able to change their own passwords. > > > > I feel sure there’s a way for me to enable this capability without having > to launch ADUC and bring up each user’s account individually. > > > > Could one of you command line commandos give me a point in the right > direction? > > > > > > > > John Hornbuckle > > MIS Department > > Taylor County School District > > www.taylor.k12.fl.us > > > > > > > > > > > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
