Hi i m looking for a command / script to set user "User cannot change password" attribute in Samba AD DC (currently 4.3.11-Ubuntu) like from aduc found https://groups.google.com/forum/#!topic/linux.samba/86cB1X8c-1c and https://lists.samba.org/archive/samba/2013-August/175185.html but no solution provided the UserAccountControl flag "PASSWD_CANT_CHANGE" can not be set via ldap and there is no sambatool useer subcommand to do this... do you think there is a solution?
Mandi! Arnaud FLORENT via samba In chel di` si favelave...> the UserAccountControl flag "PASSWD_CANT_CHANGE" can not be set via ldapNo, it is not true. You have 'simply'' to OR 0x00010000 userAccountControl attribute, eg: userAccountControl = userAccountControl || 0x00010000 look at: https://msdn.microsoft.com/en-us/library/ms680832 -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà , 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Tue, 16 Jan 2018 16:21:31 +0100 Marco Gaiarin via samba <samba at lists.samba.org> wrote:> Mandi! Arnaud FLORENT via samba > In chel di` si favelave... > > > the UserAccountControl flag "PASSWD_CANT_CHANGE" can not be set via > > ldap > > No, it is not true. You have 'simply'' to OR 0x00010000 > userAccountControl attribute, eg: > > userAccountControl = userAccountControl || 0x00010000 > > look at: > > https://msdn.microsoft.com/en-us/library/ms680832 >You cannot stop the user from changing their password by setting userAccountControl, you need to deny them permission to their object in AD. Rowland