Hi, DC. The secret lies in the mysterious userflags attribute. Let's first show you how to set up a user account so that users cannot change their passwords, and then describe some of the other local user account properties that can be managed using the UserFlags property. If you're lucky, you can still catch lunch!
Let's first introduce a script that prevents users from changing their passwords:
Copy code code as follows:
const ads_uf_passwd_cant_change = &h0040
set objuser = GetObject ("Winnt://atl-ws-01/kenmyer")
If not objuser.userflags and ads_uf_passwd_ Cant_change then
objPasswordNoChangeFlag = objUser.UserFlags Xor ads_uf_passwd_cant_change
objUser.Put "UserFlags", objpasswordnochangeflag
objuser.setinfo
end if
First, define a constant (it has a friendly name ads_uf_passwd_cant_change) that we need to identify the correct "switch" within the userflags attribute. The UserFlags property is an example of a bitmask property that contains multiple properties and property values. The bitmask is treated as a set of switches, each of which represents a different property. If the "User Cannot change password" switch is turned on, the user cannot change his or her password, and if the switch is turned off, the user can change his or her password. This part of the content is also easy to understand; the only thing bad about bitmask is that the "switch" name is not as good as "user cannot change password", and they use a hexadecimal value similar to &h0040. To perform this task, we need to switch the "&h0040" switch, which is why we define this constant.
Next, connect to the Kenmyer account on the computer atl-ws-01. At this point, we check to see if the relevant switch is turned on. When you use bit masks, you will typically see code similar to the following:
If Objuser.userflags and Ads_uf_passwd_cant_change Then
We can illustrate the above code in plain language: if there is a UserFlags property and the Ads_uf_passwd_cant_change switch is turned on, the statement is true and some action should be performed. As far as this task is concerned, we do not care about the switch that is in the open state, and if the "Cannot Change Password" flag is set, our work will be completed. We only care about switches that are in the closed state. So we wrote the following line of code, which works only if the switch is not open:
If not objuser.userflags and Ads_uf_passwd_cant_change Then
The rest of the content is really going to bother you. See the following line of code:
Objpasswordnochangeflag = Objuser.userflags XOR ads_uf_passwd_cant_change
Although it may seem a bit complicated, this line of code is really very simple indeed. All we do here is toggle the "User Cannot change password" switch value. This is the function of the XOR command. If the switch is turned on, XOR closes it, and if the switch is turned off, Xor opens it. All we have to do is get the current value of the UserFlags property and toggle the "User Cannot change password" switch. Because we already know that the switch is off (remember the "If not" statement we just used?) , so the XOR command opens the switch. The value contained in the variable Objpasswordnochangeflag will be exactly the same as the value in the current UserFlags property, except that the "User Cannot change password" switch is turned on, not off.
Are you up to our train of thought? The rest of the script is very simple. The following line of code writes the value of the variable Objpasswordnochangeflag to the UserFlags property:
objUser.Put "UserFlags", Objpasswordnochangeflag
We then use the SetInfo command to write these changes to the user account. By running such a script, the local user Ken Myer no longer has permission to change his or her password on the computer atl-ws-01.
So what if you want to allow Ken Myer to change his or her password? That's not easy. Simply check that the user cannot change password switch is turned on and, if so, use XOR to turn it off:
Const Ads_uf_passwd_cant_change = &h0040
Set objuser = GetObject ("Winnt://atl-ws-01/kenmyer")
If Objuser.userflags and Ads_uf_passwd_cant_change Then
objpasswordnochangeflag = objuser.userflags XOR ADS_UF_ Passwd_cant_change
objuser.put "UserFlags", Objpasswordnochangeflag
objuser.setinfo end
If
The only difference is that we removed the word not from the If-then statement. This is because we now want to find out if the switch is open, and then turn it off.
We recognize that these bitmask properties are really hard to understand. If you want more information (and some pictures), see This section of the Microsoft Windows 2000 Scripting Guide. As promised earlier, we list some of the other local user account properties that can be managed using the UserFlags property:
Property |
Constant |
Value |
The logon script will be executed |
Ads_uf_script |
&h0001 |
Disable Account |
Ads_uf_accountdisable |
&h0002 |
Account Needs home Directory |
Ads_uf_homedir_required |
&h0008 |
Lock account |
Ads_uf_lockout |
&h0010 |
The account does not require a password |
Ads_uf_passwd_notreqd |
&h0020 |
User Cannot change password |
Ads_uf_passwd_cant_change |
&h0040 |
Allow encrypted text password |
Ads_uf_encrypted_text_password_allowed |
&h0080 |
Account Password never expires |
ads_uf_dont_expire_passwd |
&h10000 |
Login requires smart card |
Ads_uf_smartcard_required |
&h40000 |
Password has expired |
Ads_uf_password_expired |
&h800000 |
If there is nothing to do, replace the values with the "User Cannot change password" script to see what happens. (Of course, we always recommend that you use a test computer when experimenting with such a script, or at least use a test account.) )