Help with AD Script for setting password never expires

Home Forums Scripting Windows Script Host Help with AD Script for setting password never expires

This topic contains 8 replies, has 5 voices, and was last updated by Avatar MCSE1982 9 years ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • Avatar
    Managor
    Member
    #151306

    So I’ve just been tasked with setting the “Password Never Expires” for our “TS Users” group on a WS2003 AD, I’ve been trying to modify this code –>

    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
    strOU = “ou=TS Users”
    strDomain = “pls.com”

    set objRootDSE = GetObject(“LDAP://”&strDomain&”/RootDSE”)
    set objParent = GetObject(“LDAP://”&strOU&”,”(objRootDSE.Get(“defaultNamingContext”)))

    intUAC = objUser.Get(“userAccountControl”)
    objParent.Filter = Array(“user”)

    for each objUser in objParent
    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    else
    objUser.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
    end if
    next[/CODE]

    But can’t get it work for some reason, would any one mind telling me where I went wrong? My newbness at VBS smacks me hard. :-x[CODE]Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
    strOU = “ou=TS Users”
    strDomain = “pls.com”

    set objRootDSE = GetObject(“LDAP://”&strDomain&”/RootDSE”)
    set objParent = GetObject(“LDAP://”&strOU&”,”(objRootDSE.Get(“defaultNamingContext”)))

    intUAC = objUser.Get(“userAccountControl”)
    objParent.Filter = Array(“user”)

    for each objUser in objParent
    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    else
    objUser.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
    end if
    next[/CODE]

    But can’t get it work for some reason, would any one mind telling me where I went wrong? My newbness at VBS smacks me hard. :-x

    tehcamel
    tehcamel
    Moderator
    #356351

    Re: Help with AD Script for setting password never expires

    well, to start with, does it give you any errors ?

    Avatar
    MCSE1982
    Member
    #377812

    Re: Help with AD Script for setting password never expires

    Sorry guess that would help, was being rushed into a meeting.

    On current state, it gives me the error on

    Line:6
    Char:1
    Type Mismatch: ‘[string: “,”]’

    tehcamel
    tehcamel
    Moderator
    #356353

    Re: Help with AD Script for setting password never expires

    looks like you could be using the wrong speech marks etc in the wrong place..

    at first glance .. (i’m not a great scripter though)

    Avatar
    MCSE1982
    Member
    #377813

    Re: Help with AD Script for setting password never expires

    So I changed to this code

    Quote:
    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

    Set objUser = GetObject _
    (“LDAP://cn=pls.com,ou=TS Users,dc=pls,dc=com”)
    intUAC = objUser.Get(“userAccountControl”)

    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.Echo “Already enabled”
    Else
    objUser.Put “userAccountControl”, intUAC XOR _
    ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
    WScript.Echo “Password never expires is now enabled”
    End If

    Line:3
    Char1:
    No such object on the server.

    This is driving me bonkers.

    Avatar
    Ossian
    Moderator
    #182878

    Re: Help with AD Script for setting password never expires

    You’ve split line 3 and 4 so its getting confused.
    Should have combined both (without the _) to give

    Quote:
    Set objUser = GetObject (“LDAP://cn=pls.com,ou=TS Users,dc=pls,dc=com”)
    Avatar
    MCSE1982
    Member
    #377815

    Re: Help with AD Script for setting password never expires

    So I think I’ve got the CN part wrong, the path of the group I want to change is

    Quote:
    pls.com/pls/TS Users/

    – This is my current code.

    Quote:
    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

    Set objUser = GetObject (“LDAP://cn=pls,ou=TS Users,dc=pls,dc=com”)
    intUAC = objUser.Get(“userAccountControl”)

    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.Echo “Already enabled”
    Else
    objUser.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
    WScript.Echo “Password never expires is now enabled”
    End If

    —Something I also just thought about, I want to make it so they can’t change their passwords either.

    Rems
    Rems
    Moderator
    #227868

    Re: Help with AD Script for setting password never expires

    Managor;218722 wrote:
    So I think I’ve got the CN part wrong, the path of the group I want to change is
    pls.com/pls/TS Users/ [/CODE]
    [/QUOTE]

    If “TS Users” is the name of a Group – and that group is in the “pls” Organization Unit, then the LDAP ADsPath should be,
    [CODE]Set objGroup = GetObject(“[B]LDAP://cn=TS Users,ou=pls,dc=pls,dc=com[/B]”)[/CODE]

    Note, the object is type Group (and is not an ‘User’). To get to the users who are member of the group, enumerate members of this group.

    [CODE]
    ‘———————————————————————–
    ‘ This script enables ADS_UF_DONT_EXPIRE_PASSWD
    ‘ also enables ADS_UF_PASSWD_CANT_CHANGE
    ‘ for users who are a direct member of the group ‘TS Users’
    ‘———————————————————————–

    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
    Const CHANGE_PASSWORD_GUID = “{ab721a53-1e2f-11d0-9819-00aa0040529b}”
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
    ‘ Const ADS_ACETYPE_ACCESS_DENIED = &H1
    ‘ Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
    Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1

    Dim oACESelf, oACEEveryone : Call CreateACEs ‘ what can be used for enabling ADS_UF_PASSWD_CANT_CHANGE

    Set [B]objGroup[/B] = GetObject(“LDAP://cn=TS Users,ou=pls,dc=pls,dc=com”)

    [B]For each objMember in objGroup.Members[/B]
    objMember.GetInfo
    If objMember.sAMAccountType = 805306368 Then

    ”””””””””””””””””””””””””””
    intUAC = objMember.Get(“userAccountControl”)

    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was enabled”
    rem ‘# Disable ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now disabled”

    Else
    WScript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was disabled”
    ‘# Enable ADS_UF_DONT_EXPIRE_PASSWD
    objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now enabled”
    End If

    ”””””””””””””””””””””””””””
    Set objSD = objMember.Get(“nTSecurityDescriptor”)
    Set objDACL = objSD.DiscretionaryAcl

    ‘— Determine whether or not ADS_UF_PASSWD_CANT_CHANGE is enabled
    For Each Ace In objDACL
    If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    blnACEPresent = True
    End If
    Next

    If blnACEPresent Then
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was enabled”
    rem ‘# Disable ADS_UF_PASSWD_CANT_CHANGE
    rem arrTrustees = Array(“nt authorityself”, “everyone”)
    rem For Each strTrustee In Array(“nt authorityself”, “everyone”)
    rem For Each ace In objDACL
    rem If(LCase(ace.Trustee) = strTrustee) Then
    rem If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    rem (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    rem objDACL.RemoveAce ace
    rem End If
    rem End If
    rem Next
    rem Next
    rem objMember.Put “nTSecurityDescriptor”, objSD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now disabled”

    Else
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was disabled”
    ‘# Enable ADS_UF_PASSWD_CANT_CHANGE
    ‘— Get this objects Security Descriptor
    Set oSecDescriptor = objMember.Get(“ntSecurityDescriptor”)

    ‘— Get the Discretionary ACL —
    Set oDACL = oSecDescriptor.DiscretionaryAcl

    ‘– Add our new ACEs and replace DACL—
    oDACL.AddAce oACESelf
    oDACL.AddAce oACEEveryone

    ‘ — Put the Security Descriptor back on the object —
    objMember.Put “ntSecurityDescriptor”, oSecDescriptor
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now enabled”
    End If
    ””””””””””””””””””””””””””””””

    End If
    [B]Next[/B]

    wscript.quit

    Sub CreateACEs ‘ Will be used for enabling ADS_UF_PASSWD_CANT_CHANGE
    ‘ WARNING: The sample code does not reorder the Access Control Entries (ACEs).
    ‘ The programmer must set the correct order of ACEs in a security
    ‘ descriptor. Correct order, known as “cannonicalization of the ACL,”
    ‘ requires (among other things) that all “deny” ACEs are listed before
    ‘ all “allow” ACEs in the ACL.
    http://support.microsoft.com/kb/301287

    Set oACESelf = CreateObject(“AccessControlEntry”)
    Set oACEEveryone = CreateObject(“AccessControlEntry”)

    ‘– Create the Access Control Entry for Self—
    oACESelf.Trustee = “NT AUTHORITYSELF”
    oACESelf.AceFlags = 0
    oACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACESelf.ObjectType = CHANGE_PASSWORD_GUID
    oACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

    ‘ — Create the Access Control Entry for Everyone—
    oACEEveryone.Trustee = “EVERYONE”
    oACEEveryone.AceFlags = 0
    oACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACEEveryone.ObjectType = CHANGE_PASSWORD_GUID
    oACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
    End Sub
    [/CODE]

    Rems[CODE]pls.com/pls/TS Users/ [/CODE]

    If “TS Users” is the name of a Group – and that group is in the “pls” Organization Unit, then the LDAP ADsPath should be,
    Set objGroup = GetObject(“[B]LDAP://cn=TS Users,ou=pls,dc=pls,dc=com[/B]”)[/CODE]

    Note, the object is type Group (and is not an ‘User’). To get to the users who are member of the group, enumerate members of this group.

    [CODE]
    ‘———————————————————————–
    ‘ This script enables ADS_UF_DONT_EXPIRE_PASSWD
    ‘ also enables ADS_UF_PASSWD_CANT_CHANGE
    ‘ for users who are a direct member of the group ‘TS Users’
    ‘———————————————————————–

    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
    Const CHANGE_PASSWORD_GUID = “{ab721a53-1e2f-11d0-9819-00aa0040529b}”
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
    ‘ Const ADS_ACETYPE_ACCESS_DENIED = &H1
    ‘ Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
    Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1

    Dim oACESelf, oACEEveryone : Call CreateACEs ‘ what can be used for enabling ADS_UF_PASSWD_CANT_CHANGE

    Set [B]objGroup[/B] = GetObject(“LDAP://cn=TS Users,ou=pls,dc=pls,dc=com”)

    [B]For each objMember in objGroup.Members[/B]
    objMember.GetInfo
    If objMember.sAMAccountType = 805306368 Then

    ”””””””””””””””””””””””””””
    intUAC = objMember.Get(“userAccountControl”)

    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was enabled”
    rem ‘# Disable ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now disabled”

    Else
    WScript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was disabled”
    ‘# Enable ADS_UF_DONT_EXPIRE_PASSWD
    objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now enabled”
    End If

    ”””””””””””””””””””””””””””
    Set objSD = objMember.Get(“nTSecurityDescriptor”)
    Set objDACL = objSD.DiscretionaryAcl

    ‘— Determine whether or not ADS_UF_PASSWD_CANT_CHANGE is enabled
    For Each Ace In objDACL
    If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    blnACEPresent = True
    End If
    Next

    If blnACEPresent Then
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was enabled”
    rem ‘# Disable ADS_UF_PASSWD_CANT_CHANGE
    rem arrTrustees = Array(“nt authorityself”, “everyone”)
    rem For Each strTrustee In Array(“nt authorityself”, “everyone”)
    rem For Each ace In objDACL
    rem If(LCase(ace.Trustee) = strTrustee) Then
    rem If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    rem (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    rem objDACL.RemoveAce ace
    rem End If
    rem End If
    rem Next
    rem Next
    rem objMember.Put “nTSecurityDescriptor”, objSD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now disabled”

    Else
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was disabled”
    ‘# Enable ADS_UF_PASSWD_CANT_CHANGE
    ‘— Get this objects Security Descriptor
    Set oSecDescriptor = objMember.Get(“ntSecurityDescriptor”)

    ‘— Get the Discretionary ACL —
    Set oDACL = oSecDescriptor.DiscretionaryAcl

    ‘– Add our new ACEs and replace DACL—
    oDACL.AddAce oACESelf
    oDACL.AddAce oACEEveryone

    ‘ — Put the Security Descriptor back on the object —
    objMember.Put “ntSecurityDescriptor”, oSecDescriptor
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now enabled”
    End If
    ””””””””””””””””””””””””””””””

    End If
    [B]Next[/B]

    wscript.quit

    Sub CreateACEs ‘ Will be used for enabling ADS_UF_PASSWD_CANT_CHANGE
    ‘ WARNING: The sample code does not reorder the Access Control Entries (ACEs).
    ‘ The programmer must set the correct order of ACEs in a security
    ‘ descriptor. Correct order, known as “cannonicalization of the ACL,”
    ‘ requires (among other things) that all “deny” ACEs are listed before
    ‘ all “allow” ACEs in the ACL.
    http://support.microsoft.com/kb/301287

    Set oACESelf = CreateObject(“AccessControlEntry”)
    Set oACEEveryone = CreateObject(“AccessControlEntry”)

    ‘– Create the Access Control Entry for Self—
    oACESelf.Trustee = “NT AUTHORITYSELF”
    oACESelf.AceFlags = 0
    oACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACESelf.ObjectType = CHANGE_PASSWORD_GUID
    oACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

    ‘ — Create the Access Control Entry for Everyone—
    oACEEveryone.Trustee = “EVERYONE”
    oACEEveryone.AceFlags = 0
    oACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACEEveryone.ObjectType = CHANGE_PASSWORD_GUID
    oACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
    End Sub
    [/CODE]

    Rems[CODE]Set objGroup = GetObject(“LDAP://cn=TS Users,ou=pls,dc=pls,dc=com“)[/CODE]

    Note, the object is type Group (and is not an ‘User’). To get to the users who are member of the group, enumerate members of this group.

    ‘———————————————————————–
    ‘ This script enables ADS_UF_DONT_EXPIRE_PASSWD
    ‘ also enables ADS_UF_PASSWD_CANT_CHANGE
    ‘ for users who are a direct member of the group ‘TS Users’
    ‘———————————————————————–

    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
    Const CHANGE_PASSWORD_GUID = “{ab721a53-1e2f-11d0-9819-00aa0040529b}”
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
    ‘ Const ADS_ACETYPE_ACCESS_DENIED = &H1
    ‘ Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
    Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1

    Dim oACESelf, oACEEveryone : Call CreateACEs ‘ what can be used for enabling ADS_UF_PASSWD_CANT_CHANGE

    Set [B]objGroup[/B] = GetObject(“LDAP://cn=TS Users,ou=pls,dc=pls,dc=com”)

    [B]For each objMember in objGroup.Members[/B]
    objMember.GetInfo
    If objMember.sAMAccountType = 805306368 Then

    ”””””””””””””””””””””””””””
    intUAC = objMember.Get(“userAccountControl”)

    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was enabled”
    rem ‘# Disable ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now disabled”

    Else
    WScript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was disabled”
    ‘# Enable ADS_UF_DONT_EXPIRE_PASSWD
    objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now enabled”
    End If

    ”””””””””””””””””””””””””””
    Set objSD = objMember.Get(“nTSecurityDescriptor”)
    Set objDACL = objSD.DiscretionaryAcl

    ‘— Determine whether or not ADS_UF_PASSWD_CANT_CHANGE is enabled
    For Each Ace In objDACL
    If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    blnACEPresent = True
    End If
    Next

    If blnACEPresent Then
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was enabled”
    rem ‘# Disable ADS_UF_PASSWD_CANT_CHANGE
    rem arrTrustees = Array(“nt authorityself”, “everyone”)
    rem For Each strTrustee In Array(“nt authorityself”, “everyone”)
    rem For Each ace In objDACL
    rem If(LCase(ace.Trustee) = strTrustee) Then
    rem If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    rem (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    rem objDACL.RemoveAce ace
    rem End If
    rem End If
    rem Next
    rem Next
    rem objMember.Put “nTSecurityDescriptor”, objSD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now disabled”

    Else
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was disabled”
    ‘# Enable ADS_UF_PASSWD_CANT_CHANGE
    ‘— Get this objects Security Descriptor
    Set oSecDescriptor = objMember.Get(“ntSecurityDescriptor”)

    ‘— Get the Discretionary ACL —
    Set oDACL = oSecDescriptor.DiscretionaryAcl

    ‘– Add our new ACEs and replace DACL—
    oDACL.AddAce oACESelf
    oDACL.AddAce oACEEveryone

    ‘ — Put the Security Descriptor back on the object —
    objMember.Put “ntSecurityDescriptor”, oSecDescriptor
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now enabled”
    End If
    ””””””””””””””””””””””””””””””

    End If
    [B]Next[/B]

    wscript.quit

    Sub CreateACEs ‘ Will be used for enabling ADS_UF_PASSWD_CANT_CHANGE
    ‘ WARNING: The sample code does not reorder the Access Control Entries (ACEs).
    ‘ The programmer must set the correct order of ACEs in a security
    ‘ descriptor. Correct order, known as “cannonicalization of the ACL,”
    ‘ requires (among other things) that all “deny” ACEs are listed before
    ‘ all “allow” ACEs in the ACL.
    http://support.microsoft.com/kb/301287

    Set oACESelf = CreateObject(“AccessControlEntry”)
    Set oACEEveryone = CreateObject(“AccessControlEntry”)

    ‘– Create the Access Control Entry for Self—
    oACESelf.Trustee = “NT AUTHORITYSELF”
    oACESelf.AceFlags = 0
    oACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACESelf.ObjectType = CHANGE_PASSWORD_GUID
    oACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

    ‘ — Create the Access Control Entry for Everyone—
    oACEEveryone.Trustee = “EVERYONE”
    oACEEveryone.AceFlags = 0
    oACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACEEveryone.ObjectType = CHANGE_PASSWORD_GUID
    oACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
    End Sub
    [/CODE]

    Rems[CODE]


    ‘ This script enables ADS_UF_DONT_EXPIRE_PASSWD
    ‘ also enables ADS_UF_PASSWD_CANT_CHANGE
    ‘ for users who are a direct member of the group ‘TS Users’



    Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
    Const CHANGE_PASSWORD_GUID = “{ab721a53-1e2f-11d0-9819-00aa0040529b}”
    Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100
    ‘ Const ADS_ACETYPE_ACCESS_DENIED = &H1
    ‘ Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &H5
    Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
    Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1

    Dim oACESelf, oACEEveryone : Call CreateACEs ‘ what can be used for enabling ADS_UF_PASSWD_CANT_CHANGE

    Set objGroup = GetObject(“LDAP://cn=TS Users,ou=pls,dc=pls,dc=com”)

    For each objMember in objGroup.Members
    objMember.GetInfo
    If objMember.sAMAccountType = 805306368 Then

    ”””””””””””””””””””””””””””
    intUAC = objMember.Get(“userAccountControl”)

    If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was enabled”
    rem ‘# Disable ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now disabled”

    Else
    WScript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD was disabled”
    ‘# Enable ADS_UF_DONT_EXPIRE_PASSWD
    objMember.Put “userAccountControl”, intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_DONT_EXPIRE_PASSWD is now enabled”
    End If

    ”””””””””””””””””””””””””””
    Set objSD = objMember.Get(“nTSecurityDescriptor”)
    Set objDACL = objSD.DiscretionaryAcl

    ‘— Determine whether or not ADS_UF_PASSWD_CANT_CHANGE is enabled
    For Each Ace In objDACL
    If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    blnACEPresent = True
    End If
    Next

    If blnACEPresent Then
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was enabled”
    rem ‘# Disable ADS_UF_PASSWD_CANT_CHANGE
    rem arrTrustees = Array(“nt authorityself”, “everyone”)
    rem For Each strTrustee In Array(“nt authorityself”, “everyone”)
    rem For Each ace In objDACL
    rem If(LCase(ace.Trustee) = strTrustee) Then
    rem If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
    rem (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
    rem objDACL.RemoveAce ace
    rem End If
    rem End If
    rem Next
    rem Next
    rem objMember.Put “nTSecurityDescriptor”, objSD
    rem objMember.SetInfo
    rem Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now disabled”

    Else
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE was disabled”
    ‘# Enable ADS_UF_PASSWD_CANT_CHANGE
    ‘— Get this objects Security Descriptor
    Set oSecDescriptor = objMember.Get(“ntSecurityDescriptor”)

    ‘— Get the Discretionary ACL —
    Set oDACL = oSecDescriptor.DiscretionaryAcl

    ‘– Add our new ACEs and replace DACL—
    oDACL.AddAce oACESelf
    oDACL.AddAce oACEEveryone

    ‘ — Put the Security Descriptor back on the object —
    objMember.Put “ntSecurityDescriptor”, oSecDescriptor
    objMember.SetInfo
    Wscript.Echo objMember.cn, “ADS_UF_PASSWD_CANT_CHANGE is now enabled”
    End If
    ””””””””””””””””””””””””””””””

    End If
    Next

    wscript.quit

    Sub CreateACEs ‘ Will be used for enabling ADS_UF_PASSWD_CANT_CHANGE
    ‘ WARNING: The sample code does not reorder the Access Control Entries (ACEs).
    ‘ The programmer must set the correct order of ACEs in a security
    ‘ descriptor. Correct order, known as “cannonicalization of the ACL,”
    ‘ requires (among other things) that all “deny” ACEs are listed before
    ‘ all “allow” ACEs in the ACL.
    http://support.microsoft.com/kb/301287

    Set oACESelf = CreateObject(“AccessControlEntry”)
    Set oACEEveryone = CreateObject(“AccessControlEntry”)

    ‘– Create the Access Control Entry for Self—
    oACESelf.Trustee = “NT AUTHORITYSELF”
    oACESelf.AceFlags = 0
    oACESelf.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACESelf.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACESelf.ObjectType = CHANGE_PASSWORD_GUID
    oACESelf.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS

    ‘ — Create the Access Control Entry for Everyone—
    oACEEveryone.Trustee = “EVERYONE”
    oACEEveryone.AceFlags = 0
    oACEEveryone.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
    oACEEveryone.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
    oACEEveryone.ObjectType = CHANGE_PASSWORD_GUID
    oACEEveryone.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
    End Sub
    [/CODE]

    Rems

    Avatar
    MCSE1982
    Member
    #377836

    Re: Help with AD Script for setting password never expires

    Rems, you’re amazing.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.