You want to disable a user's ability to change his password.
Open the Active Directory Users and Computers snap-in.
In the left pane, right-click on the domain and select Find.
Select the appropriate domain beside In.
Beside Name, type the name of the user you want to modify and click Find Now.
In the Search Results, double-click on the user.
Click the Account tab.
Under Account options, check the box beside User cannot change password.
Click OK.
> dsmod user <UserDN> -canchpwd no
' This code disables a user's ability to change password ' ------ SCRIPT CONFIGURATION ------ strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com ' ------ END CONFIGURATION --------- Const ACETYPE_ACCESS_DENIED_OBJECT = 6 Const ACEFLAG_OBJECT_TYPE_PRESENT = 1 Const RIGHT_DS_CONTROL_ACCESS = 256 Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}" set objUser = GetObject("LDAP://" & strUserDN) set objSD = objUser.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Add a deny ACE for Everyone set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Everyone" objACE.AceFlags = 0 objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE ' Add a deny ACE for Self set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Self" objACE.AceFlags = 0 objACE.AceType = ACETYPE_ACCESS_DENIED_OBJECT objACE.Flags = ACEFLAG_OBJECT_TYPE_PRESENT objACE.ObjectType = CHANGE_PASSWORD_GUID objACE.AccessMask = RIGHT_DS_CONTROL_ACCESS objDACL.AddAce objACE objSD.DiscretionaryAcl = objDACL objUser.Put "nTSecurityDescriptor", objSD objUser.SetInfo WScript.Echo "Enabled no password changing for " & strUserDN
Even though in the GUI solution you check and uncheck the "User cannot change password" setting, actually making the change in Active Directory is a little more complicated as is evident in the VBScript solution. Not allowing a user to change her password consists of setting two deny Change Password ACEs on the target user object. One deny ACE is for the Everyone account and the other is for Self.
The VBScript solution should work as is, but it is not very robust in terms of checking to see if the ACEs already exist and making sure they are in the proper order. If you need to make the code more robust, I suggest checking out MS KB 269159 for more information on setting ACEs properly.
MS KB 269159 (HOWTO: Use Visual Basic and ADsSecurity.dll to Properly Order ACEs in an ACL)