Freeze Active Directory users from changing passwords temporarily

755 pts.
Tags:
Active Directory
Active Directory backup
Active Directory Backup and Restore
Active Directory security
Backup and restore
Network security
Can we prevent users from changing their AD passwords temporarily? We want to create a network freeze and not change or modify anything including passwords while we do some backup/restore testing.
ASKED: January 6, 2011  9:24 PM
UPDATED: January 7, 2011  11:34 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

How to Configure a Site, Domain, or Organizational Unit to Prevent Users from Changing Passwords Unless Prompted

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
Right-click the domain or organizational unit for which you want to implement the new password change policy, and then click Properties.
Click the Group Policy tab.
Click the Group Policy object (GPO) that you want to work with, and then click Edit. If there are no existing policies listed in the Group Policy Object Links list, click New to create a new policy, type a name for the new policy, and then click Edit.
Expand the GPO, expand User Configuration, expand Administrative Templates, and then expand System.
Click Ctrl+Alt+Del Options.
In the right pane, double-click Remove Change Password.
Click Enabled, and then click OK.
Quit the Group Policy Object Editor snap-in, click OK, and then quit the Active Directory Users and Computers snap-in.
Click Start, and then click Run.
Type cmd in the Open box, and then click OK.
At the command prompt, type the following line, and then press ENTER:
gpupdate /target:user /force
Type exit to close the command prompt.

NOTE: By default, policies that are applied to either users or computers at the domain level will apply to all users and all computers in the domain. By default, the application of a policy to organization units will apply to all user accounts and machine accounts that reside in that organization unit, and to any suborganizational unit that may exist. A user account must either be moved into, or be created in, that organization unit for it to apply. If you just add security groups that a user may be a member of to an organization unit, this will not apply the policy to that user.

———-

Or you can write a PowerShell script which changes the User Can Change Password flag from true to false for all the users.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following