Use the set_change_pwd_allowed command to modify the ADS_UF_PASSWD_CANT_CHANGE flag in the UserAccountControl attribute. This flag controls whether an Active Directory user can change his or her domain password. You must specify the distinguished name of a valid Active Directory user account that should be allowed to change his or her password.


set_change_pwd_allowed userdn


This command takes no options.


This command takes the following argument:

Argument Type Description



Required. Specifies the distinguished name of the Active Directory user who is allowed to change his or her password.

Return value

This command returns nothing if it runs successfully.


set_change_pwd_allowed CN=frank.smith,CN=Users,DC=ajax,DC=test
get_object_field sd

This example deselects the “User cannot change password” account property for the Active Directory user frank.smith.

Related Tcl library commands

The following commands perform actions related to this command:

  • create_aduser creates a new Active Directory user account and sets the password for the account.
  • set_change_pwd_denied prevents an Active Directory user from changing the domain password for his or her account.