How to Set User Cannot Change password Flag in Active Directoy

sathishiam · December 24, 2024, 12:14pm

Hi Experts

As part of Service account Creation, we have a requirement like we have to Set User Cannot change password flag in AD, but I dont see any direct attribute to set it using provisioning plan , I tried running a After Create script with below command, but didn’t work
Set-ADUser -Identity $ServiceAccount -CannotChangePassword $true
Did anyone already worked on this use case, can you please provide a solution if you are able to do this , this is really urgent, any help would be really great

enistri_devo · December 24, 2024, 12:39pm

Hi @sathishiam,

you can set into the provisioning form on the userAccountControl with active status more 64. For example if have an user with UAC = 512, the relative active normal user with no change pwd is 576.

In every case you must be sure the permission permits this operation.
On those page you can find all that you need:

sathishiam · December 25, 2024, 1:40am

@enistri_devo

As its already mentioned in the doc , User account Control cannot be used for this purpose as per documentation

iamksatish · December 25, 2024, 12:44pm

@sathishiam
Call the Below PowerShell Command from your native rules or from a rule triggering this in your flow, this will resolve the issue

Set-ADUser -Identity $sAMAccoutName -CannotChangePassword $true

$sAMAccoutName pass your sAMAccountName here

system · February 23, 2025, 12:45pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.