DCSIMG
Get all users that cannot change their password - Shay Levy

Shay Levy

If you repeat it, PowerShell it!

News


btn_donate_LG

View Shay Levy's profile on LinkedIn Follow Shay Levy at Twitter Shay Levy's Facebook profile Subscribe to my FriendFeed


site statistics




Get all users that cannot change their password


Earlier today a colleague of mine asked me for a script solution:

"I want to get all users that cannot change their password from Active Directory but I can't find any attribute on the user account with that info."

Correct, there is no such attribute. When a user account is set with the 'User cannot change password' account option, two (Deny) Access Control Entries (ACEs) are added to the account in question:

1. Deny for the user account (SELF)
2. Deny for everyone else (Everyone built-in group)

 

To see the ACEs go to the 'Security' tab and then click the 'Advanced' button:

 

With Quest AD Cmdlets you can get all users that cannot change their password from your active directory domain with a simple one-liner, lets start by querying just one user:

PS > Get-QADPermission -Identity user1 -Deny -ExtendedRight User-Change-Password ` 
-Account everyone,self

Permissions for: domain/TEST/Users/User1

Ctrl Account           Rights          Source        AppliesTo
---- -------           ------          ------        ---------
Deny Everyone          Change Password Not inherited This object only
Deny NT AUTHORITY\SELF Change Password Not inherited This object only

WARNING: Only explicit permissions were displayed. To display inherited and AD 
default permissions use -Inherited and -SchemaDefault switches respectively.


As you can see User1, and 'Everyone' group members, cannot change the password. Notice that we get a yellow warning, we can suppress warnings by adding the -WarningAction parameter with a value of SilentlyContinue (currently, we cannot suppress the green messages).

To get all users we start by asking Get-QADUser to get ALL (-SizeLimit 0) Enabled user accounts (-Enabled) and then we filter the results by calling the same Get-QADPermission command we executed above inside Where-Object, only now we change the user Identity (User1) with the current pipeline object ($_):

Get-QADUser -Enabled -SizeLimit 0 | Where-Object { Get-QADPermission -Identity $_ -Deny -ExtendedRight User-Change-Password -Account everyone,self -WarningAction SilentlyContinue }


EDIT: See the comments for this post below If you get an error for the -WarningAction parameter.

 
Posted: Jul 06 2009, 05:47 PM by ScriptFanatic | with 11 comment(s)
תגים:, , ,

Comments

Rory Schmitz said:

Hi Shay,

Just testing one account similar to your 'User1' example, I receive the following:

[PS] C:\Windows\System32>Get-QADPermission -Identity username -Deny -ExtendedRight User-Change-Password -Accou

nt everyone,self

WARNING: Only explicit permissions were displayed. To display inherited and AD default permissions use -Inherited and

-SchemaDefault switches respectively.

I do not see any results, maybe this is normal?

Also, when running the last command in your article, I receive the following error:

Get-QADPermission : A parameter cannot be found that matches parameter name 'WarningAction'.

At line:1 char:162

+ Get-QADUser -Enabled -SizeLimit 0 | Where-Object { Get-QADPermission -Identity $_ -Deny -ExtendedRight User-Change-Pa

ssword -Account everyone,self -WarningAction  <<<< SilentlyContinue }

Maybe I just have an older version of the QAD cmdlets installed.  Any thoughts to why I cannot retreive the information?

# July 7, 2009 5:11 PM

ScriptFanatic said:

Thanks for the input!

If you don't get any output then the user object is not marked with 'User cannot change password', and is evaluated to $false in Where-Object.

As for -WarningAction, I've tested the command in Windows 7 (PowerShell CTP3). In PowerShell v1 you can set the global variable $WarningPreference (its default value is 'Continue') and set it back after you run the command:

PS > $WarningPreference='SilentlyContinue'
PS > Get-QADUser -Enabled -SizeLimit 0 ...
PS > $WarningPreference='Continue'

# July 8, 2009 10:07 AM

Everyone User | AllGraphicsOnline.com said:

Pingback from  Everyone User | AllGraphicsOnline.com

# April 7, 2011 6:12 AM

Garan said:

Shay,

Thank you for this example.  It was tremendously helpful.

# June 20, 2011 6:49 PM

Admin said:

This may sound funny but I need to get the opposite list I need to know who the users are that can change their passwords. We have a separate AD setup for an Application and that application currently controls the passwords and we do not want the users to be able to change the passwords on the desktops because it would then be out of sync with the application.

# September 30, 2011 9:06 PM

ScriptFanatic said:

Does this gives you the answer?

Get-QADUser -Enabled -SizeLimit 0 | Where-Object { -not( Get-QADPermission -Identity $_ -Deny -ExtendedRight User-Change-Password -Account everyone,self -WarningAction SilentlyContinue) }

# October 2, 2011 1:25 PM

Amanda D. said:

Excellent - this was precisely what I needed! I was about to go around the bend trying to find the right flags to test against like you can for all the other checkboxes, and then messing around trying to get anything out of nTSecurityDescriptor.

# January 25, 2012 12:54 PM

Paul D said:

Is there any way to not show the 'Permissions for' line that always appears?

# April 20, 2012 5:40 PM

ScriptFanatic said:

As far as I know you cannot. I have complained about it in the past and offered them to remove the message or write it using WriteVerbose calls instead of just writing it to the host.

# April 20, 2012 6:55 PM

Paul D said:

Thanks for the quick reply - a pity about that!

I am using a fantastic iPhone App (also Android + WM7 app as well), with the Powershell plugin, to provide extra functionality for the app (have coded 100+ now from examples out on the internet). Will try a bit later with your code her, to see what I can do with this line (or not).

Oh yes, the app is named PC Monitor (http://www.mobilepcmonitor.com)

# April 22, 2012 10:19 PM

ScriptFanatic said:

Thanks for the link @Paul, very nice application!

# April 25, 2012 11:14 AM
Leave a Comment

(required) 

(required) 

(optional)

(required) 


Enter the numbers above: