Using userAccountControl to set *both* PASSWD_CANT_CHANGE and DONT_EXPIRE_PASSWORD

I know how to use one or the other, but how can I achieve both?
Dallas SmetterSolution EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Contigo1Commented:
You should be able to set both in AD users and computers by right clicking on the user going to properties > Account

Then selecting the User cannot change password and Password never expires settings.
0
Steven CarnahanNetwork ManagerCommented:
I think this may be what you are asking for:

const int UF_PASSWD_CANT_CHANGE = 0x0040;
const int UF_DONT_EXPIRE_PASSWD = 0x10000;

int userControlFlags = UF_PASSWD_NOTREQD + UF_DONT_EXPIRE_PASSWD;

newUser.Properties["userAccountControl"].Value = userControlFlags;

Open in new window

0
Dallas SmetterSolution EngineerAuthor Commented:
I need to do this for nearly a quarter million users, so I can't do it manually.

I'll try pony10us's suggestion and post back.

Thanks!
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

footechCommented:
Here's a PowerShell method using the MS AD cmdlets.  It would find all user accounts and then the set the properties.  If you want to limit which accounts it is set for then you would need to modify the parameters of the Get-ADUser command.
Import-Module ActiveDirectory
Get-ADUser -filter * | Set-ADUser -CannotChangePassword $true -PasswordNeverExpires $true

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SubsunCommented:
If you have Win2008 R2 DC then you can use Set-ADUser command..

For single user..
Set-ADUser Subsun -CannotChangePassword $true -PasswordNeverExpires $true

Open in new window


You can set on bulk users.but it depends on the input the code varies. If you have a list of user sAMAccountName’s in a text file then you can try..
GC C:\user.txt | Set-ADUser -CannotChangePassword $true -PasswordNeverExpires $true

Open in new window

0
Dallas SmetterSolution EngineerAuthor Commented:
And we can also, in this situation, use the userAccountControl setting to ensure that student passwords never expire while applying a GPO so that it can't be changed ;-)
0
Steven CarnahanNetwork ManagerCommented:
Just for reference using what I provided you have many other settings available but I only gave you the ones you requested.  Here are the most common settings:

const int UF_ACCOUNTDISABLE = 0x0002;
const int UF_PASSWD_NOTREQD = 0x0020;
const int UF_PASSWD_CANT_CHANGE = 0x0040;
const int UF_NORMAL_ACCOUNT = 0x0200;
const int UF_DONT_EXPIRE_PASSWD = 0x10000;
const int UF_SMARTCARD_REQUIRED = 0x40000;
const int UF_PASSWORD_EXPIRED = 0x800000;

all you have to do is add the ones you want to this line:

int userControlFlags = UF_PASSWD_NOTREQD + UF_DONT_EXPIRE_PASSWD;
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.