Announcement

Collapse
No announcement yet.

User Must Change Password at Next Logon Access Denied

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • User Must Change Password at Next Logon Access Denied

    Hello all. I wrote a script which has a subroutine to automate the creation of user accounts during a domain join process and I am having trouble applying a particular setting. Basically, I need to create the user object on a particular DC while using a particular account. The domain is a 2008 domain. I am doing the creation via the following code:

    Code:
    Set objLDAP = GetObject("LDAP:")
    Set objOU = objLDAP.OpenDSObject("LDAP://" & strDC & "/" & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    Set objUser = objOU.Create("User", "CN=USER1")
    objUser.Put "sAMAccountName", "USER1"
    objUser.SetInfo
    I know this particular item has variables listed and they are all defined properly in the actual script. Furthermore the code above works just fine and creates the account as expected. Where I am having the problem is when I try to uncheck the "User Must Change Password at Next Logon" box. From what I have researched, I have found two ways to change this setting, which are:

    Code:
    objUser.Put "pwdLastSet", -1
    objUser.SetInfo
    or

    Code:
    objUser.Put "pwdLastSet", CLng(-1)
    objUser.SetInfo
    That said, I added the following section after the account creation.

    Code:
    Set objUser = objLDAP.OpenDSObject("LDAP://" & strDC & "/CN=USER1," & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put "pwdLastSet", -1
    objUser.SetInfo
    However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the "create user objects" and "read/write all properties" permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific "read/write pwdLastSet" permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.

  • #2
    Re: User Must Change Password at Next Logon Access Denied

    I got a tip from someone on the permissions aspect and it helped to resolve the issue. Thanks all.

    Comment


    • #3
      Re: User Must Change Password at Next Logon Access Denied

      Could you help future readers by telling us what you actually did to fix it?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: User Must Change Password at Next Logon Access Denied

        Sure. Basically, the following permissions were granted to the service account being used on the target OU:

        Create User Objects (This object and all descendant objects)
        Read/Write All Properties (Descendant User objects)
        Reset Password (Descendant User objects)


        What I found was that granting the Read/Write All Properties, or more specifically the Read/Write pwdLastSet permission, would not work unless the Reset Password permission was granted as well.

        In my case, I used Read/Write All Properties because I was setting various other attributes during the account creation process. However, if you are just looking to script the unchecking of the User Must Change Password at Next Logon or attempting to delegate that ability, you would simply need to grant the following permissions:

        Read/Write pwdLastSet(Descendant User objects)
        Reset Password (Descendant User objects)


        In addition, I believe this should work fine in a 2008 domain. However, in a 2003 domain I read a Microsoft Knowledge Base article that stated you may need to modify the DSSEC.DAT file to delegate the pwdLastSet right. See link below.

        http://support.microsoft.com/kb/296999

        Comment


        • #5
          Re: User Must Change Password at Next Logon Access Denied

          Thanks for the update!
          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment

          Working...
          X