none
Finding users with CannotChangePassword = True RRS feed

  • Question

  • When using Get-ADUser I can make the Filter work with CannotChangePassword. I get an error.

    Get-ADUser : Searching on extended attribute 'CannotChangePassword' is not supported.

    I can get a where command to work.

    ...| where {$_.CannotChangePassword -eq $True}

    But I would prefer to use the filter. Is this possible?

    Thanks,

    Paul

    Thursday, April 6, 2017 1:58 PM

All replies

  • This should work:

    Get-ADUser -Filter {CannotChangePassword -eq $True}
    Edit: If you pipe to a Where clause, you must specify the CannotChangePassword property with the -Properties parameter, but it is more efficient to filter.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, April 6, 2017 2:15 PM
  • Thank you for the reply. Unfortunately I get the error 

    Get-ADUser : Searching on extended attribute 'CannotChangePassword' is not supported.

    I'm 2008 R2 AD. Is that part of the issue?

    Paul

    Thursday, April 6, 2017 2:18 PM
  • Perhaps I should have researched more, earlier, but I am discovering that CannotChangePassword isn't an attribute. It is a right set with a DACL that allows (or disallows) the user to ChangePassword. So, it would appear I can't query for it because it is not an attribute on the account.

    I'll stick with the Where command for now. Thanks.

    Paul

    Thursday, April 6, 2017 2:34 PM
  • My mistake. It seems that the CannotChangePassword property is supported by the Set-ADUser cmdlet, but not the Get-ADUser cmdlet. So the property can be updated, but not read.

    Edit: This filter might help, but the setting is not quite the same:

    Get-ADUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=64)"
    

    This setting tests the ADS_UF_PASSWD_CANT_CHANGE bit of userAccountControl, whereas the PowerShell property is based on the ntSecurityDescriptor attribute, so it is based on permissions.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    Thursday, April 6, 2017 2:35 PM
  • Hi Paul,

    >>but I am discovering that CannotChangePassword isn't an attribute. It is a righ

    Property Syntax R/RW lDAPDisplayName 
    
    CannotChangePassword Boolean RW nTSecurityDescriptor 

    https://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx

    So, please try this:

    Get-ADUser -LDAPFilter '(nTSecurityDescriptor=True)'

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 7, 2017 2:07 AM
    Moderator
  • "ntSecurityDescriptor" is an object and it will always be true for any object.

    \_(ツ)_/

    Friday, April 7, 2017 2:47 AM
    Moderator