VBScript program to configure a user so they can change their own password. The ability to change the password is a permission that can be granted or denied. To grant this permission, two ACE's (Access Control Entries) must be set in the security descriptor discretionary access control list (DACL) of the user object. One ACE grants the permission to the user and another ACE grants the permission for the Everyone group. If existing ACE's are found denying permission to change the password, they are modified to grant permission. If no ACE's are found for changing the password, they are created and added to the DACL. In either case, the ACE's in the DACL are re-ordered per Microsoft KB article 269159.
If the client is not Windows 2000 or above, then this program requires that ADsSecurity.dll be
registered on the client. ADsSecurity.dll is part of the ADSI Resource Kit and is installed as
part of the Platform SDK.
This program should work on any 32 or 64-bit Windows client that can log onto the domain. Windows NT and
Windows 98/95 clients should have DSClient installed. If DSClient is not installed, they need WSH
and ADSI installed.
CanChgPW.txt <<-- Click here to view or download the program