| Author | Messages | |
ananthrg
Posts:20
 | | 02/17/2009 8:48 AM |
| Hi,
We have some new users joining our domain. Our method is we create the user
names and give "blank" passwords and set "user must change password at
first login". We have password policies also.
After all these users has logged in for the first time, we want to disallow
user from changing the password, for that we need to enable "user cannot
change password" from user properties.
Our question is is it possible to do it through GPO? Is there any script or
setting for it? We want to enable "user cannot change password" after a user
has logged into the domain for the first time and changed his password.
Thanks and regards
Ananth.
| | | |
| Darren
Posts:103
| | 02/17/2009 9:48 AM |
| Ananth-
In general password policy on user objects can't be modified via Group
Policy. You will need to create a script of some kind to do this. I would
suggest checking out the Microsoft TechNet Scripting Center on
technet.microsoft.com. They have a bunch of examples of modifying user
account properties in AD using scripts in various languages. You might also
want to check out admod.exe at joeware.net, which is a command-line tool for
modifying AD objects.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ananth Rajagopal
Sent: Tuesday, February 17, 2009 2:52 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Enable "User cannot change password" after first login
Hi,
We have some new users joining our domain. Our method is we create the user
names and give "blank" passwords and set "user must change password at first
login". We have password policies also.
After all these users has logged in for the first time, we want to disallow
user from changing the password, for that we need to enable "user cannot
change password" from user properties.
Our question is is it possible to do it through GPO? Is there any script or
setting for it? We want to enable "user cannot change password" after a user
has logged into the domain for the first time and changed his password.
Thanks and regards
Ananth.
| | | |
| Darren
Posts:103
| | 02/17/2009 10:02 AM |
| Sorry, I meant to say "account properties" rather than "password policy"
below.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Tuesday, February 17, 2009 6:42 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Enable "User cannot change password" after first login
Ananth-
In general password policy on user objects can't be modified via Group
Policy. You will need to create a script of some kind to do this. I would
suggest checking out the Microsoft TechNet Scripting Center on
technet.microsoft.com. They have a bunch of examples of modifying user
account properties in AD using scripts in various languages. You might also
want to check out admod.exe at joeware.net, which is a command-line tool for
modifying AD objects.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Ananth Rajagopal
Sent: Tuesday, February 17, 2009 2:52 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Enable "User cannot change password" after first login
Hi,
We have some new users joining our domain. Our method is we create the user
names and give "blank" passwords and set "user must change password at first
login". We have password policies also.
After all these users has logged in for the first time, we want to disallow
user from changing the password, for that we need to enable "user cannot
change password" from user properties.
Our question is is it possible to do it through GPO? Is there any script or
setting for it? We want to enable "user cannot change password" after a user
has logged into the domain for the first time and changed his password.
Thanks and regards
Ananth.
| | | |
| ananthrg
Posts:20
| | 02/17/2009 11:36 AM |
| Thanks Darren. You've always been kind enough to help, we will check technet
and once we implement we will inform.
regards
Ananth.
On Tue, Feb 17, 2009 at 8:27 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx> wrote:
> Sorry, I meant to say "account properties" rather than "password policy"
> below.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Darren Mar-Elia
> *Sent:* Tuesday, February 17, 2009 6:42 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* RE: [gptalk] Enable "User cannot change password" after first
> login
>
>
>
> Ananth-
>
> In general password policy on user objects can't be modified via Group
> Policy. You will need to create a script of some kind to do this. I would
> suggest checking out the Microsoft TechNet Scripting Center on
> technet.microsoft.com. They have a bunch of examples of modifying user
> account properties in AD using scripts in various languages. You might also
> want to check out admod.exe at joeware.net, which is a command-line tool
> for modifying AD objects.
>
>
>
> Darren
>
>
>
> *From:* xxxxxxxxxxxxxxxx [mailto:
> xxxxxxxxxxxxxxxx] *On Behalf Of *Ananth Rajagopal
> *Sent:* Tuesday, February 17, 2009 2:52 AM
> *To:* xxxxxxxxxxxxxxxx
> *Subject:* [gptalk] Enable "User cannot change password" after first login
>
>
>
> Hi,
>
>
>
> We have some new users joining our domain. Our method is we create the user
> names and give "blank" passwords and set "user must change password at
> first login". We have password policies also.
>
>
>
> After all these users has logged in for the first time, we want to disallow
> user from changing the password, for that we need to enable "user cannot
> change password" from user properties.
>
>
>
> Our question is is it possible to do it through GPO? Is there any script or
> setting for it? We want to enable "user cannot change password" after a user
> has logged into the domain for the first time and changed his password.
>
>
>
> Thanks and regards
>
> Ananth.
>
>
>
>
>
>
>
>
>
>
>
| | | |
| gollum123
Posts:0
| | 02/17/2009 11:52 AM |
| Hello,
appart from technically changing the AD attribute, blocking users from
changing their password is lowering your security level.
With the time being, users tends to exchange their password, so keeping it
always the same makes people having access with others account for a long
term.
2009/2/17 Ananth Rajagopal <xxxxxxxxxxxxxxxx>
>
>
> Thanks Darren. You've always been kind enough to help, we will check
> technet and once we implement we will inform.
>
> regards
> Ananth.
>
>
>
> On Tue, Feb 17, 2009 at 8:27 PM, Darren Mar-Elia <xxxxxxxxxxxxxxxx>wrote:
>
>> Sorry, I meant to say "account properties" rather than "password policy"
>> below.
>>
>>
>>
>> Darren
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Darren Mar-Elia
>> *Sent:* Tuesday, February 17, 2009 6:42 AM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* RE: [gptalk] Enable "User cannot change password" after first
>> login
>>
>>
>>
>> Ananth-
>>
>> In general password policy on user objects can't be modified via Group
>> Policy. You will need to create a script of some kind to do this. I would
>> suggest checking out the Microsoft TechNet Scripting Center on
>> technet.microsoft.com. They have a bunch of examples of modifying user
>> account properties in AD using scripts in various languages. You might also
>> want to check out admod.exe at joeware.net, which is a command-line tool
>> for modifying AD objects.
>>
>>
>>
>> Darren
>>
>>
>>
>> *From:* xxxxxxxxxxxxxxxx [mailto:
>> xxxxxxxxxxxxxxxx] *On Behalf Of *Ananth Rajagopal
>> *Sent:* Tuesday, February 17, 2009 2:52 AM
>> *To:* xxxxxxxxxxxxxxxx
>> *Subject:* [gptalk] Enable "User cannot change password" after first
>> login
>>
>>
>>
>> Hi,
>>
>>
>>
>> We have some new users joining our domain. Our method is we create the
>> user names and give "blank" passwords and set "user must change password at
>> first login". We have password policies also.
>>
>>
>>
>> After all these users has logged in for the first time, we want
>> to disallow user from changing the password, for that we need to enable
>> "user cannot change password" from user properties.
>>
>>
>>
>> Our question is is it possible to do it through GPO? Is there any script
>> or setting for it? We want to enable "user cannot change password" after a
>> user has logged into the domain for the first time and changed his password.
>>
>>
>>
>> Thanks and regards
>>
>> Ananth.
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
>
--
Cordialement,
Mathieu CHATEAU
French blog: http://www.lotp.fr
English blog: http://lordoftheping.blogspot.com
| | | |
|
|