'
' Script to Change Properties of ALL users in an OU
' -User Cannot Change Password (check that box)
' -User Password Doesn't expire (check that box)
' Same as Running (same as running dsmod user "CN=,OU=,DC=,DC=" -pwdneverexpires yes -canchpwd no)
' but without needing to make a batch script for each user/ou !

Dim domainObject
'dim rootDSE
'Set rootDSE=GetObject("LDAP://RootDSE")
'domainContainer = rootDSE.Get("defaultNamingContext")
'Set domainObject = GetObject("LDAP://" & domainContainer)
strOU = "Users"
'Change strOU= "Users" to your Users Folder you wish to modify (may be a different OU/container than users, and this will run recursively on that OU/container
Set domainObject = GetObject("LDAP://OU=" & strOU & ",DC=DOMAIN,DC=COM")
'Change DC=DOMAIN,DC=COM to reflect your domain

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const ADS_ACEFLAG_OBJECT_TYPE_PRESENT = &H1
Const CHANGE_PASSWORD_GUID = "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
Const ADS_RIGHT_DS_CONTROL_ACCESS = &H100

ExportUsers(domainObject)

Sub ExportUsers(oObject)
Dim oUser,dsmodcmd,objSD,objDACL,arrTrustees
Set shell = CreateObject("WScript.Shell")
For Each oUser in oObject
 Select Case oUser.Class
     Case "user"
  wscript.echo oUser.displayname
       'Set User Password Doesn't Expire
  flag = oUser.Get("userAccountControl")
  newFlag = flag Or ADS_UF_DONT_EXPIRE_PASSWD
  oUser.Put "userAccountControl", newFlag
       'Set User Cannot Change Password
  Set objSD = oUser.Get("ntSecurityDescriptor")
  Set objDACL = objSD.DiscretionaryAcl
  arrTrustees = array("nt authority\self", "EVERYONE")
  For Each strTrustee in arrTrustees
      Set objACE = CreateObject("AccessControlEntry")
      objACE.Trustee = strTrustee
      objACE.AceFlags = 0
      objACE.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT
      objACE.Flags = ADS_ACEFLAG_OBJECT_TYPE_PRESENT
      objACE.ObjectType = CHANGE_PASSWORD_GUID
      objACE.AccessMask = ADS_RIGHT_DS_CONTROL_ACCESS
      objDACL.AddAce objACE
  Next
  objSD.DiscretionaryAcl = objDACL
  oUser.Put "nTSecurityDescriptor", objSD
  oUser.SetInfo
     Case "organizationalUnit" , "container"
  'This finds users in any Sub OU's/containers
  If UsersinOU (oUser) then 
   ExportUsers(oUser)
  End if 
 End select
Next
End Sub


Function UsersinOU (oObject)
Dim oUser
UsersinOU = False
for Each oUser in oObject 
Select Case oUser.Class
Case "organizationalUnit" , "container"
 UsersinOU = UsersinOU(oUser)
Case "user"
 UsersinOU = True
End select
Next
End Function