How to uncheck Password cannot change Flag in ActiveDirectory

**srihari.kilari** · 03-07-2007

Hi All,
I am working with Active Directory in C#. I want to reset the password and set the User must change the password at next logon. I did it.
It working fine.

But "User cannot change Password " is set when user is created,
User must change the password at next logon is not working.

So i want to uncheck the flag "User cannot change Password ". How to do it?

Plaese tell me if anybody knows

Thanks in Advance
Srihari

**Andrzejewski** · 03-07-2007

Usually i dont do coding in C#, but still i gave a try for you. Remember that you may need to modify the appropriate bit of the userAccountControl attribute in this. You XOR the current value with the bit mask ADS_UF_PASSWD_CANT_CHANGE to toggle the bit off. In VBScript:

===========
' Bit mask for "Password cannot change"
Const ADS_UF_PASSWD_CANT_CHANGE = &H40

' Bind to user object.
Set objUser = GetObject("LDAP://cn=Jim Smith,ou=Sales,dc=MyDomain,dc=com")

' Retrieve value of userAccountControl attribute.
lngFlag = objUser.userAccountControl

' Check if "Password cannot change" bit is set.
If (lngFlag AND ADS_UF_PASSWD_CANT_CHANGE) <> 0 Then
' Toggle the bit to turn it off.
lngFlag = lngFlag XOR ADS_UF_PASSWD_CANT_CHANGE
' Save changes.
objUser.SetInfo
End If
============

**srihari.kilari** · 06-07-2007

Hi Richard Mueller,

Thanks for your reply.

Programmatically i did the following way.
I read the userAccessControl Value for a particular user, it is showing 512.
I did the XOR operation with &H40, It gave me 576.
I tried to set the value of userAccessControl to 576 and commit the changes.
It is not un-checking the "User Can't change password" flag.

I also tried in the following way(manually).

I went to ADSIEdit.msc and saw the Initial value of UserAccessControl is 512for the particular user. and I manually set the value of userAccessControl to 576 for that user and click apply.
And i agian saw the value of userAccessControl to that user. but it is is showing only the older value(that is 512) .

Finally i came to know that the value 576 is not setting for UserAccessControl.

Can you tell me what i made wrong?

Thanks And Regards
Srihari

**srihari.kilari** · 06-07-2007

Sorry Richard Mueller, i wrote UserAccessControl instead of UserAccount Control in the above post.

Following way is the correct one.

Programmatically i did the following way.
I read the userAccountControl Value for a particular user, it is showing 512.
I did the XOR operation with &H40, It gave me 576.
I tried to set the value of userAccountControl to 576 and commit the changes.
It is not un-checking the "User Can't change password" flag.

I also tried in the following way(manually).

I went to ADSIEdit.msc and saw the Initial value of userAccountControl is 512for the particular user. and I manually set the value of userAccountControl to 576 for that user and click apply.
And i agian saw the value of userAccountControl to that user. but it is is showing only the older value(that is 512) .

Finally i came to know that the value 576 is not setting for userAccountControl .

Can you tell me what i made wrong?

Thanks And Regards
Srihari

**carbooter** · 22-11-2009

Only 2 years later -
I also find the userAccountControl is 512 so &40 is not set even when 'user cannot change password' is set.
I came across 'http://www.activeexperts.com/activmonitor/windowsmanagement/adminscripts/usersgroups/users/#DisableUserCannotChPwd.htm which gives a vbscript which seems to work for one user. I'll try to adapt it for multiple users.