Disabling a user's ability to change password on Active Directory

active-directory ldap python password
9,975

Solution 1

I am not a Windows admin, but isn't this exactly the sort of thing that a Group Policy is for? A brief Google search yields http://support.microsoft.com/kb/324744, which seems to do almost exactly what you want. This would be the "set-it-and-forget-it" model.

Also, this vbscripts purports to do what you want.

Solution 2

From the documents that you linked:

PASSWD_CANT_CHANGE

Note: You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.

And the property flag descriptions:

PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object.

Or in other words, that specific bit in the bitmask cannot be set, and is returned after calculating the permissions on the user object.

Also linked from that document is http://msdn.microsoft.com/en-us/library/aa746398.aspx, which describes how to programatically adjust permissions on user objects.

What you're looking to do is deny the SELF pseudo-user access to change the password. The best way to do this would be configure permissions on an entire OU to restrict password changes. From here, move all of the relevant user objects into this OU and ensure that the user objects are inheriting their permissions from the OU.

If you're having issues with setting the security, ensure that you have Advanced Features enabled in ADUC (View --> Advanced Features).

Share:
9,975

Related videos on Youtube

NukaRakuForgotEmail
Author by

NukaRakuForgotEmail

Learning and helping.

Updated on September 17, 2022

Comments

  • NukaRakuForgotEmail
    NukaRakuForgotEmail over 1 year

    We run a multi-directory environment (AD and OpenLDAP) and perform password synchronization via an internal webapp. This works well because we've disabled users from changing their own password via OpenLDAP and AD could only be accessed by the few services that require AD.

    However, we are now looking into allowing PC's to attach to the AD domain. Initially, I believed that disabling password change for users would be as simple as changing the initial userAccountControl LDAP attribute we assign during account provisioning. This proved to not be as simple as I assumed.

    We currently use Python and python-ldap for account provisioning (code below), Per Microsoft docs, we set userAccountControl to 66048 (Normal account and don't expire password). I tried changing it to 66112 (66048 + Disable user password change) but AD did not retain that value and instead, recorded it as 66048.

    Has anyone done something like this before? I'd prefer to accomplish it either by using Python or a set-it-and-forget-it setting on AD.

    FYI: This is how the account provisioning Python code looks like right now:

    import ldap

l = ldap.initialize(server)
l .simple_bind_s(admin_cn, admin_pass)

attributes = [
    ('displayName', login),
    ('sAMAccountName', login),
    ('cn', login),
    ('givenName', fn),
    ('sn', ln),
    ('name', full_name),
    ('userPrincipalName', '%[email protected]' % login),
    ('objectClass', ['person', 'top', 'organizationalPerson', 'user']),
    ('userAccountControl', '66048'), # <--- Line I thought I could change but not working as expected
    ('unicodePwd', encoded_password)
]

l.add_s(
    'cn=%s,ou=users,dc=example,dc=com' % login,
    attributes,
)
    • NukaRakuForgotEmail
      NukaRakuForgotEmail over 13 years
      The following article might get me started. I will check it out at work on Tuesday. Too bad I cannot offer a bounty on this one heh: msdn.microsoft.com/en-us/library/aa746398.aspx
    • aNullValue
      aNullValue over 13 years
      Were you able to adapt your scripts to accommodate the procedure outlined in your above link?
    • NukaRakuForgotEmail
      NukaRakuForgotEmail over 13 years
      I tested the script on one user and that did work. However, I wanted to see if anyone was aware of a configuration change that would disable password changing by default. Or, a Python solution.
  • Jeff McJunkin
    Jeff McJunkin over 13 years
    The Group Policy mentioned, while useful in some circumstances, only removes the ability to change one's own password from within the Windows GUI. It doesn't remove the ability to do so via scripting or any other method.
  • user2751502
    user2751502 over 13 years
    Huh. Now I've learned something new.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Suggestions for using Active Directory credentials (user name/password) with Google Apps?
Active Directory 2012 LDAP Integration Service Principal Name Entry is Disappearing?
AD LDAP No Password Required
Using AD as authentication for Django
Authenticating against active directory using python + ldap
What are the other alternative to test a LDAP connection on linux machine
LDAP Error "User Name Not Found"
LDAP: How to add a new user to a group inside an OU
Adding users to AD using LDAP
How to retrieve DirectoryEntry from a DirectoryEntry and a DN