http://rmanimaran.wordpress.com/2008/07/08/activedirectory-useraccountcontrol-flag/
' Bit mask for "Password cannot change"
Const ADS_UF_PASSWD_CANT_CHANGE = &H40
' Bind to user object.
Set objUser = GetObject("LDAP://cn=Jim Smith,ou=Sales,dc=MyDomain,dc=com")
' Retrieve value of userAccountControl attribute.
lngFlag = objUser.userAccountControl
' Check if "Password cannot change" bit is set.
If (lngFlag AND ADS_UF_PASSWD_CANT_CHANGE) <> 0 Then
' Toggle the bit to turn it off.
lngFlag = lngFlag XOR ADS_UF_PASSWD_CANT_CHANGE
' Save changes.
objUser.SetInfo
End If
============
You AND the value of userAccountControl with the bit mask to test if it is
set. Any non-zero result means the bit is set. Zero means the bit is not
set. You OR the value of userAccountControl with the bit mask to set the
bit. You XOR userAccountControl with the bit mask to toggle the bit, which
is the only way to turn it off.
Note, there is also a bit of userAccountControl for "Don't expire password".
The bit mask is &H10000. Also, you can remove permissions for the user to
change their password. The code to restore these permissions is more
complex.
No comments:
Post a Comment