Active Directory – Change User’s Password – Resolution

 

Preface

In a previous post, I spoke of a SMK ( Shaking My Head ) moment I was having.

I couldn’t change a password assigned to a newly created Service Account.

The post is here.

 

 

Problem Identification

Thankfully, I have friends in high places or at least friends who are not so dim.

As Ron was leaving for the day, I said to him you gonna hate me for bothering you.

But, what is with my inability to change my password.

He said it is a Group Policy thing.

I said I checked the Group Policy (GP) and I did not see that.

 

Group Policy Report

Code

Using gpresult we can generate Group Policy Reports.

Generate HTML Output

Script


set "_user=LAB\sbc"
If not exist "d:\temp" md "d:\temp"
gpresult /USER %_user% /F /H d:\temp\grResultUser.html

 

Output

accountandpasswordpolicies

Generate Textual Output

Script


set "_user=LAB\svcSQL"

gpresult /V /USER %_user% | more

Output

rsop-minimumpasswordage

Explanation

Underneath \Policies\Windows Settings \ Account Policies / Password Policy

There  goes a Winning GPO stating “Minimum password age” is 5 days.

 

Conclusion

I still did not get it, and so Ron had to explain it.

A password has to be at least 5 days old, prior to anyone having the ability to change it.

The password was only created yesterday and so I have to a wait a few more days.

 

MSFT’s Recommendation

Cristian Dobre

Link

cristiandobre

 

Confirm Our Last Password Date

Let us confirm our last password date

Code – Credit

As always, I can not write this code.

Stealing this time from Homework

The specific post is titled “How to get the last password change for a user in Active Directory” and it is credited to Alessandro Tani.

It is available here.

Code


Import-Module ActiveDirectory

$ADUser="svcDBHRDB"

$formatDate="yyyy-MM-dd HH:mm"
$now=Get-Date -format $formatDate

"Current Date & TIme is {0}" -f $now

Get-ADuser $ADUser -properties PasswordLastSet | Format-List

 

Output

getaduseroutput-20161201-0838am

Errors

Error – Import-Module : The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory.

Please read this QA:

Import-Module : The specified module ‘activedirectory’ was not loaded because no valid module file was found in any module directory
Link

 

References

  1. Security Policy Settings Reference > Account Policies > Password Policy > Minimum password age
    Link
  2. Alessandro Tani
    • How to get the last password change for a user in Active Directory
      Link
  3. Nirmal Sharma
    • When was the Last Password Changed for a User Account in Active Directory
      Link

 

Active Directory – Disabling User’s Ability to Change His\Her Password – Through Group Policy

Background

Let us disable the user’s ability to Change his/her own password.

 

Installation

Let us download and install Group Policy

MS Windows 2003

Download

Unfortunately, we are on MS Windows 2003.

And, so we will download that OS Specific install binary.

The Microsoft Group Policy Management Console (GPMC) with Service Pack 1 (SP1) unifies management of Group Policy across the enterprise. The GPMC consists of a MMC snap-in and a set of programmable interfaces for managing Group Policy.
File :- gpmc.msi
Dated :- 2012-08-12
Link

 

Installed

Installed the download msi file.

 

Usage

Once installed, access Group Policy Management via “Administrative Tools” \ “Group Policy Management”.

Add Group Policy

Outline Steps

Copying “How To Prevent Users from Changing a Password Except When Required in Windows Server 2003” ( Here ) verbatim, here is the instruction:

  1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
  3. Click the Group Policy tab.
  4. Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
  5. Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
  6. Click Ctrl+Alt+Del Options.
  7. In the right pane, double-click Remove Change Password.
  8. Click Enabled, and then click OK.
  9. Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
  10. Click Start, and then click Run.
  11. Type cmd in the Open box, and then click OK.
  12. At the command prompt, type the following line, and then press ENTER:
    • gpupdate /target:user /force

Screen Shots

 

Initiate New GPO

Here we walk to Forest \ Domains \ < Domain Name > \ <ou>

In our case Forest \ Domains \ < Domain Name > \ Services.

We right clicked on our OU, Services, and chose “Create and Link a GPO Here…”.

 

initiatemenu-20161130-0204pm

New GPO

Upon clicking New GPO, here is the screen that allows us name a new GPO.

newgpo

 

Group Policy Object

Group Policy Object – Settings

Here is our Group Policy Settings when first created.

settings-20161130-0101pm

 

Group Policy Object – Edit Settings

Once the Group Policy is created, let us go in and customize it for our setting.

Choose the create Group Policy Object ( GPO ), right click it and from the drop down menu click the Edit button.

 

Group Policy Object – Edit Settings – “Initial

Here is the original screen…

grouppolicy-ctrlaltdel-options-initial

 

 

Group Policy Object – Edit Settings – “Amending Changes

Please choose “Remove Change Password”, and double-click on it

grouppolicy-ctrlaltdel-options-inprocess-removechangepassword

 

Group Policy Object – Edit Settings – “Remove Change Password – Enabled

Here is what things look like once we effect “Remove Change Password”.

grouppolicy-ctrlaltdel-options

 

 

Enable Group Policy

gpupdate /force

gpupdate-force

Group Policy Review

Let us review the Group Policy in place

Script

MS Windows 2003

Code


set "_username=LABDOMAIN\svcDB"

gpresult /USER %_username% /V

 

Output

gpresult-20161130-0242pm

Explanation

We see that for our Group Policy, “Group Policy Object – User Password”,  the key Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword is enabled.

MS Windows 2012

On MS Window 2012 and likely OS Versions between Win 2003 and Windows 2012 ( 2008 & 2008/R2), we can output the result to an HTML or XML file.

That is accomplished through the /H or /Z options respectively.

The /F option states to force an overwrite of an existing output file.

Code


set "_user=LAB\svcDB"
If not exist "d:\temp" md "d:\temp"
gpresult /USER %_user% /F /H d:\temp\grResultUser.html

Test GP

Let us connect as our Service Account and see what happens when use CTRL-ALT-DEL or CTRL-ALT-End ( when connected over Remote Desktop )

 

deskop-changepassworddisabled

We see that “Change Password” is disabled.

 

Summary

What we have shown here is the ability to revoke the current user’s ability to change his\her password via CTRL-ALT-DEL.

It does not constrain that ability through Script, Active Users & Computer, etc.

 

References

  1. How To Prevent Users from Changing a Password Except When Required in Windows Server 2003
    Link
  2. Rob Dunn – How to delegate password reset permissions for your IT staff ( SpiceWorks )
    Link
  3. Redspin – Viewing GPO’s on the Commandline
    Link