User Must Change Password at Next Logon Access Denied

Home Forums Scripting Windows Script Host User Must Change Password at Next Logon Access Denied

Viewing 1 post (of 1 total)
  • Author
    Posts

  • nelks
    Member
    #152330

    Hello all. I wrote a script which has a subroutine to automate the creation of user accounts during a domain join process and I am having trouble applying a particular setting. Basically, I need to create the user object on a particular DC while using a particular account. The domain is a 2008 domain. I am doing the creation via the following code:

    Set objLDAP = GetObject(“LDAP:”)
    Set objOU = objLDAP.OpenDSObject(“LDAP://” & strDC & “/” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    Set objUser = objOU.Create(“User”, “CN=USER1”)
    objUser.Put “sAMAccountName”, “USER1”
    objUser.SetInfo[/CODE]I know this particular item has variables listed and they are all defined properly in the actual script. Furthermore the code above works just fine and creates the account as expected. Where I am having the problem is when I try to uncheck the “User Must Change Password at Next Logon” box. From what I have researched, I have found two ways to change this setting, which are:

    [CODE]
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    [CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]Set objLDAP = GetObject(“LDAP:”)
    Set objOU = objLDAP.OpenDSObject(“LDAP://” & strDC & “/” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    Set objUser = objOU.Create(“User”, “CN=USER1”)
    objUser.Put “sAMAccountName”, “USER1”
    objUser.SetInfo[/CODE]I know this particular item has variables listed and they are all defined properly in the actual script. Furthermore the code above works just fine and creates the account as expected. Where I am having the problem is when I try to uncheck the “User Must Change Password at Next Logon” box. From what I have researched, I have found two ways to change this setting, which are:

    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    [CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.

External Sharing and Guest User Access in Microsoft 365 and Teams

This eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

You will learn:

  • Who should be allowed to be invited as a guest?
  • What type of guests should be able to access files in SharePoint and OneDrive?
  • How should guests be offboarded?
  • How should you determine who has access to sensitive information in your environment?

Sponsored by:

 
Office 365 Coexistence for Mergers & Acquisitions: Don’t Panic! Make it SimpleLive Webinar on Tuesday, November 16, 2021 @ 1 pm ET

In this session, Microsoft MVPs Steve Goodman and Mike Weaver, and tenant migration expert Rich Dean, will cover the four most common steps toward Office 365 coexistence and explain the simplest route to project success.

  • Directory Sync/GAL Sync – How to prepare for access and awareness
  • Calendar Sharing – How to retrieve a user’s shared calendar, or a room’s free time
  • Email Routing – How to guarantee email is routed to the active mailbox before and after migration
  • Domain Sharing – How to accommodate both original and new SMTP domains at every stage

Aimed at IT Admins, Infrastructure Engineers and Project Managers, this session outlines both technical and project management considerations – giving you a great head start when faced with a tenant migration.the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure.

Sponsored by: