Directory Services

Reading User Cannot Change Password (WinNT Provider)

The ability of a user to change their own password is a permission that can be granted or denied. To determine if the user has been granted this permission with the WinNT provider, read the ADS_UF_PASSWD_CANT_CHANGE flag of the userFlags property of the user object. The ADS_UF_PASSWD_CANT_CHANGE flag is defined in the ADS_USER_FLAG_ENUM enumeration.

Example Code

The following code example shows how to obtain the ADS_UF_PASSWD_CANT_CHANGE flag of the userFlags property of a user object.

[Visual Basic]
Const ADS_UF_PASSWD_CANT_CHANGE = &H40

Function UserCannotChangePassword(strDomain As String, strUser As String, strUserCred As String, strPassword As String) As Boolean
	UserCannotChangePassword = False

	Dim oUser As IADs

	strPath = "WinNT://" + strDomain + "/" + strUser

	If "" <> strUserCred Then
		Dim dso As IADsOpenDSObject
	
		' Bind to the group with the specified username and password.
		Set dso = GetObject("WinNT:")
		Set oUser = dso.OpenDSObject(strPath, strUserCred, strPassword, 1)
	Else
		' Bind to the group with the current credentials.
		Set oUser = GetObject(strPath)
	End If

	If (oUser.Get("userFlags") And ADS_UF_PASSWD_CANT_CHANGE) <> 0 Then
		UserCannotChangePassword = True
	Else
		UserCannotChangePassword = False
	End If
End Function

The following code example shows how to obtain the ADS_UF_PASSWD_CANT_CHANGE flag of the userFlags property of a user object.

[C++]
//***************************************************************************
//
//  UserCannotChangePassword()
//
//***************************************************************************

HRESULT UserCannotChangePassword(LPCWSTR pwszDomain, 
								 LPCWSTR pwszUser, 
								 LPCWSTR pwszUserCred, 
								 LPCWSTR pwszPassword, 
								 BOOL *pfCannotChangePassword)
{
	if(NULL == pwszDomain || 
		NULL == pwszUser || 
		IsBadWritePtr(pfCannotChangePassword, sizeof(BOOL)))
	{
		return E_INVALIDARG;
}

	*pfCannotChangePassword = FALSE;

	HRESULT hr;
	IADs *pads;

	CComBSTR sbstrADsPath = L"WinNT://";
	sbstrADsPath += pwszDomain;
	sbstrADsPath += "/";
	sbstrADsPath += pwszUser;

	hr = ADsOpenObject( sbstrADsPath,
						pwszUserCred,
						pwszPassword,
						ADS_SECURE_AUTHENTICATION,
						IID_IADs, 
						(void**)&pads);

	if(SUCCEEDED(hr))
	{
		CComVariant svar;
	
		hr = pads->Get(CComBSTR("userFlags"), &svar);
		if(SUCCEEDED(hr))
		{
			if(ADS_UF_PASSWD_CANT_CHANGE & svar.lVal)
			{
				*pfCannotChangePassword = TRUE;
		}
			else
			{
				*pfCannotChangePassword = FALSE;
		}
	}
	
		pads->Release();
}

	return hr;
}