GET-IT: TEAMS DAY | 1-Day Free Virtual Conference all about Teams. Here on Petri.com - 8/12/20 GET-IT: TEAMS DAY - 8/12/20

User Must Change Password at Next Logon Access Denied

Home Forums Scripting Windows Script Host User Must Change Password at Next Logon Access Denied

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    nelks
    Member
    #152330

    Hello all. I wrote a script which has a subroutine to automate the creation of user accounts during a domain join process and I am having trouble applying a particular setting. Basically, I need to create the user object on a particular DC while using a particular account. The domain is a 2008 domain. I am doing the creation via the following code:

    Set objLDAP = GetObject(“LDAP:”)
    Set objOU = objLDAP.OpenDSObject(“LDAP://” & strDC & “/” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    Set objUser = objOU.Create(“User”, “CN=USER1”)
    objUser.Put “sAMAccountName”, “USER1”
    objUser.SetInfo[/CODE]I know this particular item has variables listed and they are all defined properly in the actual script. Furthermore the code above works just fine and creates the account as expected. Where I am having the problem is when I try to uncheck the “User Must Change Password at Next Logon” box. From what I have researched, I have found two ways to change this setting, which are:

    [CODE]
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    [CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]Set objLDAP = GetObject(“LDAP:”)
    Set objOU = objLDAP.OpenDSObject(“LDAP://” & strDC & “/” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    Set objUser = objOU.Create(“User”, “CN=USER1”)
    objUser.Put “sAMAccountName”, “USER1”
    objUser.SetInfo[/CODE]I know this particular item has variables listed and they are all defined properly in the actual script. Furthermore the code above works just fine and creates the account as expected. Where I am having the problem is when I try to uncheck the “User Must Change Password at Next Logon” box. From what I have researched, I have found two ways to change this setting, which are:

    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    [CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]or

    objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    [CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]objUser.Put “pwdLastSet”, CLng(-1)
    objUser.SetInfo[/CODE]That said, I added the following section after the account creation.

    Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.[CODE]Set objUser = objLDAP.OpenDSObject(“LDAP://” & strDC & “/CN=USER1,” & strAutoOU, strUsername & strUPN, strPassword, ADS_SECURE_AUTHENTICATION)
    objUser.Put “pwdLastSet”, -1
    objUser.SetInfo[/CODE]However, no matter which of the two methods I try, this setting does not change. Instead, I get the following error after entering the pwdastSet value:

    error # -2147022651

    and this error after attempting to SetInfo:

    error # -2147024891: Access is Denied

    I have permissioned the user account creating the objects the “create user objects” and “read/write all properties” permissions to the target OU on this object and all descending objects, but still am unsuccessful. I have also tried giving the user account full control of the OU and also given the specific “read/write pwdLastSet” permission. In both instances I get the same result.

    This is the only setting I cannot get to work and I am a bit baffled as to why it continuously fails. If anyone can help, I would greatly appreciate it.

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.