Setting "User Cannot Change Password" via LDAP

[rtanner]

We manage all accounts centrally, including new account requests. This has been a two step process where a network account was first created that dealt with most campus wide services and then a separate Windows domain account was created for student lab and staff use. I am trying to simplify that and I am able to create the domain account via a standard LDAP API as well as set a synchronized password. But the one thing we want to insure is that domain users only change their passwords through the centralized service and not locally from within Windows -- that way passwords stay in sync. The problem is disabling the user's ability. However, doing this requires setting an ACE in the ntSecurityDescriptor attribute of the entry. While I can do that via a vbs script, that also defeats the purpose of managing everything centrally. Is there a way to set the ACE via LDAP over the network, and does anyone have any code examples?

Thanks,
Rob

[andrewsteele]

Did you ever figure this out? I am attempting to do something similar and have yet to find any good examples ....

[rtanner]

We eventually hired a Windows sysadmin who actually knows his stuff and how to set policies. He used a group policy to globally disable a user's ability to change his or her password. They are therefore forced to use the main webtool that keeps everything in sync.