Password Nerver Expires ACLs

[Jay Knowlton]

How can I change the default ACLs for the account creation
process in a Windows 2000 Domain so that the only users
that have rights to check/uncheck the Password Never
Expires checkbox are members of the Domain Admins Security
group?

Also, can changing the security of this checkbox on all
existing user objects be scripted?

Thanks! - Jay Knowlton

 

[Joe Richards [MVP]]

You have to modify the permissions on the useraccountcontrol attribute,
unfortunately doing that will mean only domain admins can effectively create
an ID because they would be the only ones who could do the required enable
after the password was set.