[Samba] How to prevent users from changing their password?

Roel van Meer roel at 1afa.com
Tue Sep 30 00:43:33 MDT 2014

Matthieu Patou writes:

>> With Samba 4 in AD mode, how can I prevent users from changing their  
>> password?
>> I have a working samba 4 AD. I can, with the ADUC, set the "User cannot  
>> change password" flag in the account options. However, I would like to be  
>> able to do so without using the ADUC.
>> The other account options can be managed directly in LDAP, by setting the  
>> USERACCOUNTCONTROL attribute mostly.
>> However, according to http://support.microsoft.com/kb/305144, this is not  
>> possible for the "User cannot change password" flag.

> This is possible but you need to do it with an admin, as for the value  
> itself, I would recommend doing ldbsearch on a user before setting the value  
> and then after (using aduc) to see which fields you have to change and to  
> which value.

The problem is, none of the fields are changing. According to the Microsoft  
documentation, the right to change your password is granted or revoked by  
means of ACLs, and I wouldn't know how to set those.



More information about the samba mailing list