I have a question about active directory permission to change password. Is it possible to revoke permission to change password for users from specific OU?
How can I accomplish this task? I know it can be done for specific group of users but is it possible for users in specific OU?
UPDATE
Thanks for all your answers. They were really helpful. Unfortunately I cannot upvote these reponses due to my low reputation 😉
95% percent of users are in the OU I'm writing about. I'm thinking about removing change password permission from Everyone group and creating group for users that would be able to change their passwords. The issue is that users from this OU are in another application and they should change their password using this app, not in AD. Users that are not in this OU are only in AD, so they can change their passwords in AD.
Do you think that would be a good solution or there will problems with it?
Thanks for help.
Best Answer
John Rennie and Sam Cogan's answers (as John so aptly states) are "hacks" insofar as they attempt to disable the user-interface to change passwords but don't actually take away the ability for the user to change their password.
I think you're looking for a change to the permissions Active Directory sets by default on the OU where the user accounts are located. I'm going to caution you against that. Since Microsoft already provides this functionality through an attribute on the user account objects it's really better to use that already-provided attribute than to change the AD permissions. It's likely that you could find a permission that works, and it's also just as likely that the OS isn't going to display helpful messages.
You really should just all the affected users using Active Directory Users and Computers and modifying the properties of the user accounts en masse. Dart's answer is functionally the same as selecting all the user accounts and setting their "User cannot change password" graphically. If you like the command-line better, do that.
There is functionality to do this with an "Extended Right" using Active Directory permissions in Windows 2003. I'm not finding good documentation on the feature. Here's some background on the "extended rights" associated with changing passwords, the first relating to Active Directory "Application Mode" (or whatever Microsoft is calling it this week):
I attempted to verify Massimo's answer by placing a "SELF - Deny - User Objects - Extended Right: Change Password" permission on an OU in my test W2K3 Active Directory (Windows 2003 Domain Functional Level) and found that the user objects at or below that OU were still able to change their passwords using the GUI password change functionality. Looking at each user object, I could see the inherited "Deny" permission, but Active Directory appeared to ignore it.
Just removing the "SELF - Allow - Change Password" permission on a user object gave the me same functionality as the above test. The user was still permitted to change their password.
I'd say, on that basis, that Massimo's answer doesn't do what you want either.
I found this article from Microsoft and tested it out. When I target the script at an individual user object it behaves as desired and the user is unable to change their password. This isn't much help to you, though, since you want to set this on a per-OU basis.
When I target that script from Microsoft at an OU, however, the behaviour on longer is as expected. (Further, if I modify the ACEs added to the OU to apply to "This object and child objects" instead of "This object only" as is granted by the script the behaviour still is not as expected.)
I'm really beating my head into a wall on this one. This looks like a quirk of Active Directory behaviour that isn't well documented. I've been through the "Active Directory Domain Services" and Active Directory schema documentation and I'm not finding documentation to describe this behaviour.