set_change_pwd_denied

Use the set_change_pwd_denied command to modify the ADS_UF_PASSWD_CANT_CHANGE flag in the UserAccountControl attribute. This flag controls whether an Active Directory user can change his or her domain password. You must specify the distinguished name of a valid Active Directory user account that should not be allowed to change his or her password.

Syntax

set_change_pwd_denied userdn

Options

This command takes no options.

Arguments

This command takes the following argument:

Argument Type Description

userdn

string

Required. Specifies the distinguished name of the Active Directory user who is not allowed to change his or her password.

Return value

This command returns nothing if it runs successfully.

Examples

set_change_pwd_denied CN=adam.avery,CN=Users,DC=ajax,DC=test
get_object_field sd
(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(OD;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)

This example selects the “User cannot change password” account property for the Active Directory user adam.avery.

Related Tcl library commands

The following commands perform actions related to this command:

  • create_aduser creates a new Active Directory user account and sets the password for the account.
  • set_change_pwd_allowed allows an Active Directory user to change the domain password for his or her account.