VBScript program to configure a user so they cannot change their own password. The ability to change
the password is a permission that can be granted or denied. To deny this permission, two ACE's
(Access Control Entries) must be set in the security descriptor discretionary access control list
(DACL) of the user object. One ACE denies the permission to the user and another ACE denies the
permission for the Everyone group. If existing ACE's are found granting permission to change the
password, they are modified to deny permission. If no ACE's are found for changing the password,
they are created and added to the DACL. In either case, the ACE's in the DACL are re-ordered per
Microsoft KB article 269159.
If the client is not Windows 2000 or above, then this program requires that ADsSecurity.dll be registered on the client. ADsSecurity.dll is part of the ADSI Resource Kit and is installed as part of the Platform SDK.
This program should work on any 32-bit Windows client that can log onto the domain. Windows NT and Windows 98/95 clients should have DSClient installed. If DSClient is not installed, they need WSH and ADSI installed.
CannotChgPW.txt <<-- Click here to view or download the program