Directory Services

Modifying User Cannot Change Password (WinNT Provider)

The ability of a user to change their own password is a permission that can be granted or denied. To deny this permission, add the ADS_UF_PASSWD_CANT_CHANGE flag to the userFlags property of the user object. To grant this permission, remove the ADS_UF_PASSWD_CANT_CHANGE flag from the userFlags property of the user object.

Example Code

The following code example shows how to change the ADS_UF_PASSWD_CANT_CHANGE flag of the userFlags property of a user object.

[Visual Basic]
Const ADS_UF_PASSWD_CANT_CHANGE = &H40

Sub SetUserCannotChangePassword(strDomain As String, strUser As String, strUserCred As String, strPassword As String, fUserCannotChangePassword As Boolean)
	Dim oUser As IADs

	strPath = "WinNT://" + strDomain + "/" + strUser

	If "" <> strUserCred Then
		Dim dso As IADsOpenDSObject
	
		' Bind to the group with the specified username and password.
		Set dso = GetObject("WinNT:")
		Set oUser = dso.OpenDSObject(strPath, strUserCred, strPassword, 1)
	Else
		' Bind to the group with the current credentials.
		Set oUser = GetObject(strPath)
	End If

	lUserFlags = oUser.Get("userFlags")

	If fUserCannotChangePassword Then
		lUserFlags = lUserFlags Or ADS_UF_PASSWD_CANT_CHANGE
	Else
		lUserFlags = lUserFlags And Not ADS_UF_PASSWD_CANT_CHANGE
	End If

	' Modify the userFlags property.
	oUser.Put "userFlags", lUserFlags

	' Commit the changes to the server.
	oUser.SetInfo
End Sub

The following code example shows how to change the ADS_UF_PASSWD_CANT_CHANGE flag of the userFlags property of a user object.

[C++]
//***************************************************************************
//  SetUserCannotChangePassword()
//***************************************************************************

HRESULT SetUserCannotChangePassword(LPCWSTR pwszDomain,
									LPCWSTR pwszUser, 
									LPCWSTR pwszUserCred, 
									LPCWSTR pwszPassword,
									BOOL fCannotChangePassword)
{
	if(NULL == pwszDomain || 
		NULL == pwszUser)
	{
		return E_INVALIDARG;
}

	HRESULT hr;
	IADs *pads;

	CComBSTR sbstrADsPath = L"WinNT://";
	sbstrADsPath += pwszDomain;
	sbstrADsPath += "/";
	sbstrADsPath += pwszUser;

	hr = ADsOpenObject( sbstrADsPath,
						pwszUserCred,
						pwszPassword,
						ADS_SECURE_AUTHENTICATION,
						IID_IADs, 
						(void**)&pads);

	if(SUCCEEDED(hr))
	{
		CComBSTR sbstrPropName = "userFlags";
		CComVariant svar;
	
		hr = pads->Get(sbstrPropName, &svar);
		if(SUCCEEDED(hr))
		{
			if(fCannotChangePassword)
			{
				svar.lVal |= ADS_UF_PASSWD_CANT_CHANGE;
		}
			else
			{
				svar.lVal &= ~ADS_UF_PASSWD_CANT_CHANGE;
		}

			// Perform the change.
			hr = pads->Put(sbstrPropName, svar);

			// Commit the change.
			hr = pads->SetInfo();
	}
	
		pads->Release();
}

	return hr;
}