Use VBScript to prevent local users from changing their passwords _vbs

Ask:

Hey, scripting guy!. How do I configure a local user account so that the user cannot change his or her password?

--DC

For:

Hi, DC. The secret lies in the mysterious userflags attribute. Let's first show you how to set up a user account so that users cannot change their passwords, and then describe some of the other local user account properties that can be managed using the UserFlags property. If you're lucky, you can still catch lunch!

Let's first introduce a script that prevents users from changing their passwords:

 
   
   
 
     
     Copy code   code as follows: 
   
   
 
   
   
 
    
    
 const ads_uf_passwd_cant_change = &h0040 
    
    
 
    
    
 set objuser =  GetObject ("Winnt://atl-ws-01/kenmyer") 
    
    
 
    
    
 If not objuser.userflags and ads_uf_passwd_ Cant_change then 
    
    
     objPasswordNoChangeFlag = objUser.UserFlags  Xor ads_uf_passwd_cant_change 
    
    
     objUser.Put  "UserFlags",  objpasswordnochangeflag  
    
    
     objuser.setinfo 
    
    
 end if 
    
    
 
   
   
 

First, define a constant (it has a friendly name ads_uf_passwd_cant_change) that we need to identify the correct "switch" within the userflags attribute. The UserFlags property is an example of a bitmask property that contains multiple properties and property values. The bitmask is treated as a set of switches, each of which represents a different property. If the "User Cannot change password" switch is turned on, the user cannot change his or her password, and if the switch is turned off, the user can change his or her password. This part of the content is also easy to understand; the only thing bad about bitmask is that the "switch" name is not as good as "user cannot change password", and they use a hexadecimal value similar to &h0040. To perform this task, we need to switch the "&h0040" switch, which is why we define this constant.

Next, connect to the Kenmyer account on the computer atl-ws-01. At this point, we check to see if the relevant switch is turned on. When you use bit masks, you will typically see code similar to the following:

If Objuser.userflags and Ads_uf_passwd_cant_change Then

We can illustrate the above code in plain language: if there is a UserFlags property and the Ads_uf_passwd_cant_change switch is turned on, the statement is true and some action should be performed. As far as this task is concerned, we do not care about the switch that is in the open state, and if the "Cannot Change Password" flag is set, our work will be completed. We only care about switches that are in the closed state. So we wrote the following line of code, which works only if the switch is not open:

If not objuser.userflags and Ads_uf_passwd_cant_change Then

The rest of the content is really going to bother you. See the following line of code:

Objpasswordnochangeflag = Objuser.userflags XOR ads_uf_passwd_cant_change

Although it may seem a bit complicated, this line of code is really very simple indeed. All we do here is toggle the "User Cannot change password" switch value. This is the function of the XOR command. If the switch is turned on, XOR closes it, and if the switch is turned off, Xor opens it. All we have to do is get the current value of the UserFlags property and toggle the "User Cannot change password" switch. Because we already know that the switch is off (remember the "If not" statement we just used?) , so the XOR command opens the switch. The value contained in the variable Objpasswordnochangeflag will be exactly the same as the value in the current UserFlags property, except that the "User Cannot change password" switch is turned on, not off.

Are you up to our train of thought? The rest of the script is very simple. The following line of code writes the value of the variable Objpasswordnochangeflag to the UserFlags property:

objUser.Put "UserFlags", Objpasswordnochangeflag

We then use the SetInfo command to write these changes to the user account. By running such a script, the local user Ken Myer no longer has permission to change his or her password on the computer atl-ws-01.

So what if you want to allow Ken Myer to change his or her password? That's not easy. Simply check that the user cannot change password switch is turned on and, if so, use XOR to turn it off:

Const Ads_uf_passwd_cant_change = &h0040

Set objuser = GetObject ("Winnt://atl-ws-01/kenmyer")

If Objuser.userflags and Ads_uf_passwd_cant_change Then
  objpasswordnochangeflag = objuser.userflags XOR ADS_UF_ Passwd_cant_change
  objuser.put "UserFlags", Objpasswordnochangeflag 
  objuser.setinfo end
If

The only difference is that we removed the word not from the If-then statement. This is because we now want to find out if the switch is open, and then turn it off.

We recognize that these bitmask properties are really hard to understand. If you want more information (and some pictures), see This section of the Microsoft Windows 2000 Scripting Guide. As promised earlier, we list some of the other local user account properties that can be managed using the UserFlags property:

Property	Constant	Value
The logon script will be executed	Ads_uf_script	&h0001
Disable Account	Ads_uf_accountdisable	&h0002
Account Needs home Directory	Ads_uf_homedir_required	&h0008
Lock account	Ads_uf_lockout	&h0010
The account does not require a password	Ads_uf_passwd_notreqd	&h0020
User Cannot change password	Ads_uf_passwd_cant_change	&h0040
Allow encrypted text password	Ads_uf_encrypted_text_password_allowed	&h0080
Account Password never expires	ads_uf_dont_expire_passwd	&h10000
Login requires smart card	Ads_uf_smartcard_required	&h40000
Password has expired	Ads_uf_password_expired	&h800000

If there is nothing to do, replace the values with the "User Cannot change password" script to see what happens. (Of course, we always recommend that you use a test computer when experimenting with such a script, or at least use a test account.) ）