How to prevent a group of users from changing their passwords in AD

How to prevent a group of users from changing their passwords in Active Directory (PowerShell)

Introduction

This PowerShell script sample shows how to prevent a group of users from changing their passwords in Active Directory.

Scenarios

Sometimes admins want to restrict all the users of a group from changing their password. This script is to achieve that.

Script

Step 1: Right click PowerShell and select Run as Administrator.

Step 2: Then drag the script to PowerShell console and enter the command like following.

Note If you want to enable user change password, you can use "-Changepassword" parameter.

Here are some code snippets for your reference.

PowerShell

Edit|Remove

param
(
    [Parameter(Mandatory= $True)]
    [String]$Identity,
    [Switch]$ChangePassowrd
)
 
Try
{
 
    $Users = Get-ADGroupMember  -Identity $Identity 
    if(!$ChangePassowrd)
    {
       
        foreach($user in $Users)
        {
            $user | Set-ADUser -CannotChangePassword:$true
            Write-Progress -Activity "set 'CannotChangePassword'" -Status "$user.Name"
            Write-Host "Set user $($user.Name) can not change password successfully." -ForegroundColor Green 
        }
    }
    Else
    {
        foreach($user in $Users)
        {
            $user | Set-ADUser -CannotChangePassword:$False
            Write-Progress -Activity "uncheck 'CannotChangePassword'" -Status "$user.Name"
            Write-Host "Set user $($user.Name) can change password successfully." -ForegroundColor Green 
        }
    }
 
}
Catch
{
    Write-Error $_
}

param 
( 
    [Parameter(Mandatory= $True)] 
    [String]$Identity, 
    [Switch]$ChangePassowrd 
) 
  
Try 
{ 
  
    $Users = Get-ADGroupMember  -Identity $Identity  
    if(!$ChangePassowrd) 
    { 
        
        foreach($user in $Users) 
        { 
            $user | Set-ADUser -CannotChangePassword:$true 
            Write-Progress -Activity "set 'CannotChangePassword'" -Status "$user.Name" 
            Write-Host "Set user $($user.Name) can not change password successfully." -ForegroundColor Green  
        } 
    } 
    Else 
    { 
        foreach($user in $Users) 
        { 
            $user | Set-ADUser -CannotChangePassword:$False 
            Write-Progress -Activity "uncheck 'CannotChangePassword'" -Status "$user.Name" 
            Write-Host "Set user $($user.Name) can change password successfully." -ForegroundColor Green  
        } 
    } 
  
} 
Catch 
{ 
    Write-Error $_ 
}

Prerequisite

Windows Server 2012

Microsoft All-In-One Script Framework is an automation script sample library for IT Professionals. The key value that All-In-One Script Framework is trying to deliver is Scenario-Focused Script Samples driven by IT Pros' real-world pains and needs. The team is monitoring all TechNet forums, IT Pros' support calls to Microsoft, and script requests submitted to TechNet Script Repository. We collect frequently asked IT scenarios, and create script samples to automate the tasks and save some time for IT Pros. The team of All-In-One Script Framework sincerely hope that these customer-driven automation script samples can help our IT community in this script-centric move.