Preventing users from changing password

Andrew Bartlett abartlet at
Wed Jul 10 16:27:01 GMT 2002

Patrick McCarty wrote:
> Hi all,
> I'm attempting to prevent our users from changing their passwords from
> Windows XP specifically.
> I've tried settings acctflags in LDAP to:
> acctFlags: [UPX        ]
> (P for cannot change password)

There is no 'P' option.

> and i've set:
> pwdCanChange: 2147483647
> pwdMustChange: 2147483647
> Unfortunately, XP isn't honoring these fields.
> What's the trick?

Not supported in Samba yet.

The 'user cannot change password' is implmented in NT as an ACL on the
user.  We don't have ACL support for this yet - dicussions are just
starting on a new SAM subsystem with such features.  

PasswordCanChange is also not yet implemented, but I'll take patches (to
HEAD) to improve that support.

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at

More information about the samba-technical mailing list