Use the set_change_pwd_denied command to modify the ADS_UF_PASSWD_CANT_CHANGE flag in the UserAccountControl attribute. This flag controls whether an Active Directory user can change his or her domain password. You must specify the distinguished name of a valid Active Directory user account that should not be allowed to change his or her password.
Syntax
set_change_pwd_denied userdn
Options
This command takes no options.
Arguments
This command takes the following argument:
| Argument | Type | Description |
|
userdn |
string |
Required. Specifies the distinguished name of the Active Directory user who is not allowed to change his or her password. |
Return value
This command returns nothing if it runs successfully.
Examples
set_change_pwd_denied CN=adam.avery,CN=Users,DC=ajax,DC=test
get_object_field sd
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
This example selects the “User cannot change password” account property for the Active Directory user adam.avery.
Related Tcl library commands
The following commands perform actions related to this command:
- create_aduser creates a new Active Directory user account and sets the password for the account.
- set_change_pwd_allowed allows an Active Directory user to change the domain password for his or her account.
Doc Feedback