Tony, When you change that checkbox in ADUC it actually goes to ACL and adds/removes an ACE with change password permission. And everything you described is 100% correct. There is no feasible way to search for an ACE in ACLs. Sorry. Vladimir.
-----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 3:22 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] User cannot change password Hi all I have been trying (in vain) to search the userAccountControl attribute value using a bitwise filter to find users that have the "User cannot change password" flag set. The filter I am using is: (&(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=64)) It doesn't appear to work, although a similar filter for "Password never expires" does, e.g: (&(objectCategory=Person)(userAccountControl:1.2.840.113556.1.4.803:=65536)) Looking through MSDN I find the following (seemingly contradictory) information: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/ads_user_flag_enum.asp "ADS_UF_PASSWD_CANT_CHANGE The user cannot change the password. You can read this flag, but you cannot set it directly. For more information, and a code example that shows how to prevent a user from changing the password, see User Cannot Change Password. " This seems to support the idea that it should be possible to search for this setting using the bitwise filter. But the following information suggests that it is not. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/user_object_user_interface_mapping.asp This seems to provide the correct information. When I toggle the flag in ADUC there is no corresponding change to the userAccountControl decimal value. Can anyone clarify this for me? Tony List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
