# This Perl code disables a user's ability to change password

# ---------------------------------------------------------------
# Adapted from VBScript code contained in the book:
#      "Active Directory Cookbook" by Robbie Allen
# ISBN: 0-596-00466-4
# ---------------------------------------------------------------

# ------ SCRIPT CONFIGURATION ------
my $strUserDN = "<UserDN>";    # e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
# ------ END CONFIGURATION ---------
use Win32::OLE;
$Win32::OLE::Warn = 3;
my $ACETYPE_ACCESS_DENIED_OBJECT = 6;
my $ACEFLAG_OBJECT_TYPE_PRESENT = 1;
my $RIGHT_DS_CONTROL_ACCESS = 256;
my $CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}";

my $objUser = Win32::OLE->GetObject("LDAP://" . $strUserDN);
my $objSD = $objUser->Get("ntSecurityDescriptor");
my $objDACL = $objSD->DiscretionaryAcl;

# Add a deny ACE for Everyone
my $objACE = Win32::OLE->CreateObject("AccessControlEntry");
$objACE->{Trustee} = "Everyone";
$objACE->{AceFlags} = 0;
$objACE->{AceType} = $ACETYPE_ACCESS_DENIED_OBJECT;
$objACE->{Flags} = $ACEFLAG_OBJECT_TYPE_PRESENT;
$objACE->{ObjectType} = $CHANGE_PASSWORD_GUID;
$objACE->{AccessMask} = $RIGHT_DS_CONTROL_ACCESS;
$objDACL->AddAce($objACE);

# Add a deny ACE for Self
$objACE = Win32::OLE->CreateObject("AccessControlEntry");
$objACE->{Trustee} = "Self";
$objACE->{AceFlags} = 0;
$objACE->{AceType} = $ACETYPE_ACCESS_DENIED_OBJECT;
$objACE->{Flags} = $ACEFLAG_OBJECT_TYPE_PRESENT;
$objACE->{ObjectType} = $CHANGE_PASSWORD_GUID;
$objACE->{AccessMask} = $RIGHT_DS_CONTROL_ACCESS;
$objDACL->AddAce($objACE);

$objSD->{DiscretionaryAcl} = $objDACL;
$objUser->Put("nTSecurityDescriptor", $objSD);
$objUser->SetInfo;
print "Enabled no password changing for $strUserDN\n";