Thursday, November 27, 2008

Retrieving the Password Change Attribute

Identifies whether or not a user is allowed to change their password.

Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID  = _
 "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Set objUser = GetObject _
  ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
For Each Ace In objDACL
  If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
      (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    blnEnabled = True
  End If
Next
If blnEnabled Then
  WScript.Echo "ADS_UF_PASSWD_CANT_CHANGE is enabled"
Else
  WScript.Echo "ADS_UF_PASSWD_CANT_CHANGE is disabled"
End If

This is a VB Script, this can be used by saving the file in .vbs file
Labels: