I think the easiest approach would be to write a script that walks through all your user accounts and clears the never expire bit if it is set. Schedule it to run every night.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomasz Onyszko Sent: Tuesday, September 28, 2004 10:37 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [ActiveDir] How to take away the password never expirers check box right? On Tue, 28 Sep 2004 10:17:27 -0500, Centenni, Jason wrote > Ok, first time poster long time lurker. Welcome - almost the same I am :) > How do I make it so a OU admin (Each OU has a group acl'd to full > control of user objects/computer objects etc inside that OU) so that > they can't check the Password never expirers check box? > > I would like if possible to JUST take away the right for hem to use > that check box in the MMC. This can be tough - this property is stored in the useraccountcontrol property of the user and to achive Your goal You should place proper ACls on this property. But useraccountcontrols is responsible for few more items: http://www.jsiinc.com/SUBL/tip5500/rh5504.htm and you cann't set the ACls only for one of them. To get rid only the GUI element from ADU&C MMC You will have to make Your own version of the DLL in which this dialog is defined. -- Tomasz Onyszko - [EMAIL PROTECTED] http://www.w2k.pl List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
