none
Cannot set local user account property for PasswordChangeable RRS feed

  • Question

  • I've been using Powershell to automate a lot of what I'm doing in conjunction with my unattend file. I create accounts in the unattend, and then use powershell to set the property "passwordexpires" without issue. However, I can't seem to set the property for "PasswordChangeable", for some unknown reason. I've tried a couple of different methods, based on other posts I've found. Listed below, but none of these work. I need help, and fast please! :)

    I tried:

    Get-WmiObject -Class Win32_UserAccount -Filter "name = 'MyUser'" | Set-WmiInstance -Argument @{PasswordChangeable = 0}

    This results in an error "Set-Wmiinstance " Generic failure at line:1 char:76

    I have also tried:

    $Acct = Get-WmiObject -Class Win32_UserAccount -Filter "name = 'MyUser'"
    $Acct.PasswordChangeable = $false
    $Acct.Put()

    This results in an error "Exception calling "Put" with "0" argument(s): "Generic failure" at line:3 char:1

    What am I doing wrong here folks? The property is listed as one I can change, but yet, I can't seem to. If I replace the "PasswordChangeable" property with "PasswordExpires" in either case, it works just fine.

    Please help!

    mpleaf

    Friday, January 3, 2014 8:52 PM

Answers

All replies

  • Works for me.


    $user = gwmi Win32_UserAccount -filter "LocalAccount=TRUE and Name='username'"
    $user.PasswordChangeable = $FALSE
    $user.Put()
    

    Make sure you are running in an elevated PowerShell window (right-click PowerShell shortcut, click on Run as administrator).

    Bill

    Friday, January 3, 2014 9:20 PM
    Moderator
  • Hi there and thanks for the response. I have tried this as admin, and it still does not work. Note, if I change the property to passwordexpires, it works...why is that? I copied your text into my powershell window, to ensure no difference, and yours fails on both servers I tested as well.

    Makes no sense to me, but has to be something simple I'm missing.

    mpleaf

    Friday, January 3, 2014 10:19 PM
  • What version of powershell are you using? I'm using: Major Minor Build Revision ----- ----- ----- -------- 3 0 -1 -1 mpleaf
    Friday, January 3, 2014 10:38 PM
  • I have also tried using the property of disabled (true and false), and that property works fine. It seems to be the PasswordChangeable property that is failing consistently for me.

    I'm at a loss...

    mpleaf

    Friday, January 3, 2014 10:42 PM
  • I can't reproduce the problem.

    However you could do the same thing using ADSI:


    $ADS_UF_PASSWD_CANT_CHANGE = 0x00040
    
    $userName = "username"
    
    $user = [ADSI] "WinNT://$ENV:USERDOMAIN/$ENV:COMPUTERNAME/$userName,User"
    $properties = $user.Properties["UserFlags"].Value
    if ( ($properties -band $ADS_UF_PASSWD_CANT_CHANGE) -eq 0 ) {
      $properties = $properties -bor $ADS_UF_PASSWD_CANT_CHANGE
      $user.Properties["UserFlags"].Value = $properties
      $user.SetInfo()
    }
    

    I don't know why WMI uses 'password changeable' as this is the opposite of what all of the other APIs use ('cannot change password'). The above ADSI code checks if the 'cannot change password' bit is not set and sets it if it's not.

    Bill

    Friday, January 3, 2014 10:42 PM
    Moderator
  • Okay, so I tried the above script and got this error:

    Exception calling "SetInfo" with "0" argument(s): "This operation is disallowed as it could result in an administration account being disabled, deleted or unable to logon.

    Friday, January 3, 2014 10:46 PM
  • The error message you posted contains the answer to your question of why it doesn't work.

    Bill

    Friday, January 3, 2014 10:49 PM
    Moderator
  • But there must be some way to force it to work, or a setting on the system to allow it? If it works for you elsewhere, there must be something in the way I'm doing or a local setting preventing?

    mpleaf

    Friday, January 3, 2014 10:50 PM
  • Have you tried checking the 'cannot change password' for the local user in the user manager tool (lusrmgr.msc) and see if you get an error message?

    The ADSI code I posted does exactly what the GUI is doing, and you will probably get an error message.

    If this is the case, you do not have a scripting question but rather a security question.

    Bill


    Friday, January 3, 2014 10:53 PM
    Moderator
  • I did a search for that error message. This was the first search result:

    GPP Local Users and Groups fails with Event ID 4098 on Windows 8 and Windows Server 2012 (Microsoft knowledge base article 2890259)

    Bill

    Friday, January 3, 2014 10:59 PM
    Moderator
  • Thanks Bill! Of course, you are correct...it turns out not to be a scripting question, but a security question which I am still chasing...as this is not on a domain. But alas. Thanks for the guidance!

    mpleaf

    Monday, January 6, 2014 8:13 PM