Let us disable the user’s ability to Change his/her own password.
Let us download and install Group Policy
MS Windows 2003
Unfortunately, we are on MS Windows 2003.
And, so we will download that OS Specific install binary.
The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies management of Group Policy across the enterprise. The GPMC consists of a MMC snap-in and a set of programmable interfaces for managing Group Policy.
File :- gpmc.msi
Dated :- 2012-08-12
Installed the download msi file.
Once installed, access Group Policy Management via “Administrative Tools” \ “Group Policy Management”.
Add Group Policy
Copying “How To Prevent Users from Changing a Password Except When Required in Windows Server 2003” ( Here ) verbatim, here is the instruction:
- Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
- Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
- Click the Group Policy tab.
- Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
- Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
- Click Ctrl+Alt+Del Options.
- In the right pane, double-click Remove Change Password.
- Click Enabled, and then click OK.
- Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
- Click Start, and then click Run.
- Type cmd in the Open box, and then click OK.
- At the command prompt, type the following line, and then press ENTER:
- gpupdate /target:user /force
Initiate New GPO
Here we walk to Forest \ Domains \ < Domain Name > \ <ou>
In our case Forest \ Domains \ < Domain Name > \ Services.
We right clicked on our OU, Services, and chose “Create and Link a GPO Here…”.
Upon clicking New GPO, here is the screen that allows us name a new GPO.
Group Policy Object
Group Policy Object – Settings
Here is our Group Policy Settings when first created.
Group Policy Object – Edit Settings
Once the Group Policy is created, let us go in and customize it for our setting.
Choose the create Group Policy Object ( GPO ), right click it and from the drop down menu click the Edit button.
Group Policy Object – Edit Settings – “Initial“
Here is the original screen…
Group Policy Object – Edit Settings – “Amending Changes“
Please choose “Remove Change Password”, and double-click on it
Group Policy Object – Edit Settings – “Remove Change Password – Enabled“
Here is what things look like once we effect “Remove Change Password”.
Enable Group Policy
Group Policy Review
Let us review the Group Policy in place
MS Windows 2003
gpresult /USER %_username% /V
We see that for our Group Policy, “Group Policy Object – User Password”, the key Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword is enabled.
MS Windows 2012
On MS Window 2012 and likely OS Versions between Win 2003 and Windows 2012 ( 2008 & 2008/R2), we can output the result to an HTML or XML file.
That is accomplished through the /H or /Z options respectively.
The /F option states to force an overwrite of an existing output file.
If not exist "d:\temp" md "d:\temp"
gpresult /USER %_user% /F /H d:\temp\grResultUser.html
Let us connect as our Service Account and see what happens when use CTRL-ALT-DEL or CTRL-ALT-End ( when connected over Remote Desktop )
We see that “Change Password” is disabled.
What we have shown here is the ability to revoke the current user’s ability to change his\her password via CTRL-ALT-DEL.
It does not constrain that ability through Script, Active Users & Computer, etc.
- How To Prevent Users from Changing a Password Except When Required in Windows Server 2003
- Rob Dunn – How to delegate password reset permissions for your IT staff ( SpiceWorks )
- Redspin – Viewing GPO’s on the Commandline