Trying to get the value of "User cannot change password" on an AD account.

teksupsm · November 14, 2023

Hi, I am trying to get the value of "User cannot change password" on an AD account. I see the AD UDF can set the value or unset the value, but I just need to know if it is checked and cannot figure out how to get that value using the UDF. In the interim I am using the following, but would prefer to have a cleaner option since this requires cmd.exe and that is not desired in this situation.

        Local $netuser = GUICtrlRead($IUser)
       Local $input = 'NET USER ' & $netuser & ' /DOMAIN |FIND /I "User may change password"'
           ClipPut($input)
           Local $iPIDOU = Run(@ComSpec & " /c " & $input, @SystemDir, @SW_HIDE, $STDOUT_CHILD)
           ProcessWaitClose($iPIDOU)
           Local $locked = StdoutRead($iPIDOU)
           Local $status = StringInStr($locked, "No")
           If $status = 30 Then
           msgbox(0,"Notice!", "User cannot change password has been set for this account." & @CRLF & "Contact admin for further assistance.")
           Return
           Endif

water · November 14, 2023

At the moment the AD UDF does not have a function to do what you are looking for.
But I think it should be possible to create a new function based on _AD_DisablePasswordChange and to return the required information.

As I no longer have acccess to an Active Directory I could only provide an untested version of this new function.
The testing then has to be done by you (in a test environment!).

What do you think?

taurus905 · November 14, 2023

21 minutes ago, water said:

As I no longer have acccess to an Active Directory I could only provide an untested version of this new function.

@water If you can provide a simple script that only returns an array, I can test it.

taurus905

water · November 14, 2023

Here you go:

; #FUNCTION# ====================================================================================================================
; Name...........: _AD_QueryPasswordChange
; Description ...: Queries the 'User Cannot Change Password' permission.
; Syntax.........: _AD_QueryPasswordChange($sObject)
; Parameters ....: $sObject - User account to query "User cannot change password" permission.
; Return values .: Success - Either $ADS_ACETYPE_ACCESS_ALLOWED_OBJECT or $ADS_ACETYPE_ACCESS_DENIED_OBJECT.
;                  Failure - 0, sets @error to:
;                  |1 - $sObject does not exist
;                  |2 - ACE of Type $USER_CHANGE_PASSWORD not found
; Author ........: KenE
; Modified.......: water
; Remarks .......:
; Related .......: 
; Link ..........:
; Example .......:
; ===============================================================================================================================
Func _AD_QueryPasswordChange($sObject)
    If Not _AD_ObjectExists($sObject) Then Return SetError(1, 0, 0)
    If StringMid($sObject, 3, 1) <> "=" Then $sObject = _AD_SamAccountNameToFQDN($sObject) ; sAMAccountName provided
    Local $sSelf = "NT AUTHORITY\SELF", $aTemp
    ; Get the language dependant well known accounts for SELF and EVERYONE
    $aTemp = _Security__LookupAccountSid("S-1-5-10")
    If IsArray($aTemp) Then $sSelf = $aTemp[1] & "\" & $aTemp[0]
    Local $oObject = __AD_ObjGet("LDAP://" & $sAD_HostServer & "/" & $sObject)
    Local $oSD = $oObject.Get("nTSecurityDescriptor")
    Local $oDACL = $oSD.DiscretionaryAcl
    ; Search for ACE's for Change Password
    For $oACE In $oDACL
        If StringUpper($oACE.ObjectType) = StringUpper($USER_CHANGE_PASSWORD) Then
            If StringUpper($oACE.Trustee) = $sSelf Then Return $oACE.AceType
        EndIf
    Next
    Return SetError(2, 0, 0)
EndFunc   ;==>_AD_QueryPasswordChange

rsn · November 14, 2023

How about something like this? It's not especially fast but it seems to work.

Set $sUser to be in sAMAccountName format. I didn't test any others like UPN, CN, DN, or RDN.

$sUser = "sAMAccountName"

$oWMI = ObjGet("winmgmts:{impersonationLevel=impersonate}!\\" & @ComputerName & "\ROOT\cimv2" )
If @error Then
    MsgBox ( 4096 , "error" , "Error getting wmi : " & Hex(@error, 8))
Else
    $oWMIItems = $oWMI.ExecQuery("select * from Win32_UserAccount WHERE Name = '" & $sUser & "'")
    If IsObj($oWMIItems) Then
        For $oItem In $oWMIItems
            Local $sPasswordChangeable = $oItem.PasswordChangeable
            Local $sName               = $oItem.Name
        Next
    EndIf
EndIf

MsgBox ( 4096 , @ScriptName , "USERNAME: " & $sName & @CRLF & "PW Changeable: " & $sPasswordChangeable   )

teksupsm · December 5, 2023

Will try this as my workaround is not all that clean. Thank you

Sign In

Trying to get the value of "User cannot change password" on an AD account.

Recommended Posts

teksupsm

Link to comment

Share on other sites

water

Link to comment

Share on other sites

taurus905

Link to comment

Share on other sites

water

Link to comment

Share on other sites

rsn

Link to comment

Share on other sites

teksupsm

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta