User Must Change Password at Next Logon Access Denied

Home Forums Scripting Windows Script Host User Must Change Password at Next Logon Access Denied

This topic contains 4 replies, has 4 voices, and was last updated by Avatar spinmind 8 years, 8 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • Avatar
    nelks
    Member
    #152330

    Hello all. I wrote a script which has a subroutine to automate the creation of user accounts during a domain join process and I am having trouble applying a particular setting. Basically, I need to create the user object on a particular DC while using a particular account. The domain is a 2008 domain. I am doing the creation via the following code:

    Set objLDAP = GetObject(“LDAP:”)
    Set objOU = objLDAP.OpenDSObject(“LDAP://” & strDC & “/” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    Set objUser = objOU.Create(“User”, “CN=USER1”)
    objUser.Put “sAMAccountName”, “USER1”
    objUser.SetInfo[/CODE]I know this particular item has variables listed and they are all defined properly in the actual script. Furthermore the code above works just fine and creates the account as expected. Where I am having the problem is when I try to uncheck the “User Must Change Password at Next Logon” box. From what I have researched, I have found two ways to change this setting, which are:

    [CODE]
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    [CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]Set objLDAP = GetObject(“LDAP:”)
    Set objOU = objLDAP.OpenDSObject(“LDAP://” & strDC & “/” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    Set objUser = objOU.Create(“User”, “CN=USER1”)
    objUser.Put “sAMAccountName”, “USER1”
    objUser.SetInfo[/CODE]I know this particular item has variables listed and they are all defined properly in the actual script. Furthermore the code above works just fine and creates the account as expected. Where I am having the problem is when I try to uncheck the “User Must Change Password at Next Logon” box. From what I have researched, I have found two ways to change this setting, which are:

    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    [CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.

    Avatar
    spinmind
    Member
    #378520

    Re: User Must Change Password at Next Logon Access Denied

    I got a tip from someone on the permissions aspect and it helped to resolve the issue. Thanks all.

    Avatar
    Ossian
    Moderator
    #183291

    Re: User Must Change Password at Next Logon Access Denied

    Could you help future readers by telling us what you actually did to fix it?

    Avatar
    spinmind
    Member
    #378521

    Re: User Must Change Password at Next Logon Access Denied

    Sure. Basically, the following permissions were granted to the service account being used on the target OU:

    Create User Objects (This object and all descendant objects)
    Read/Write All Properties (Descendant User objects)
    Reset Password (Descendant User objects)

    What I found was that granting the Read/Write All Properties, or more specifically the Read/Write pwdLastSet permission, would not work unless the Reset Password permission was granted as well.

    In my case, I used Read/Write All Properties because I was setting various other attributes during the account creation process. However, if you are just looking to script the unchecking of the User Must Change Password at Next Logon or attempting to delegate that ability, you would simply need to grant the following permissions:

    Read/Write pwdLastSet(Descendant User objects)
    Reset Password (Descendant User objects)

    In addition, I believe this should work fine in a 2008 domain. However, in a 2003 domain I read a Microsoft Knowledge Base article that stated you may need to modify the DSSEC.DAT file to delegate the pwdLastSet right. See link below.

    http://support.microsoft.com/kb/296999

    Avatar
    Wired
    Moderator
    #273898

    Re: User Must Change Password at Next Logon Access Denied

    Thanks for the update!

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

Register for this Petri Webinar!

Want to Make Your Backup Storage Unlimited & Ready for the Cloud? – Free Thurrott Premium Account with Webinar Registration!

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By