Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, April 6, 2017 1:58 PM
When using Get-ADUser I can make the Filter work with CannotChangePassword. I get an error.
Get-ADUser : Searching on extended attribute 'CannotChangePassword' is not supported.
I can get a where command to work.
...| where {$_.CannotChangePassword -eq $True}
But I would prefer to use the filter. Is this possible?
Thanks,
Paul
All replies (4)
Thursday, April 6, 2017 2:18 PM
Thank you for the reply. Unfortunately I get the error
Get-ADUser : Searching on extended attribute 'CannotChangePassword' is not supported.
I'm 2008 R2 AD. Is that part of the issue?
Paul
Thursday, April 6, 2017 2:34 PM
Perhaps I should have researched more, earlier, but I am discovering that CannotChangePassword isn't an attribute. It is a right set with a DACL that allows (or disallows) the user to ChangePassword. So, it would appear I can't query for it because it is not an attribute on the account.
I'll stick with the Where command for now. Thanks.
Paul
Friday, April 7, 2017 2:07 AM
Hi Paul,
>>but I am discovering that CannotChangePassword isn't an attribute. It is a righ
Property Syntax R/RW lDAPDisplayName
CannotChangePassword Boolean RW nTSecurityDescriptor
So, please try this:
Get-ADUser -LDAPFilter '(nTSecurityDescriptor=True)'
Best regards,
Andy
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, April 7, 2017 2:47 AM
"ntSecurityDescriptor" is an object and it will always be true for any object.
\(ツ)_/