Set objUser = GetObject _ ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com") Set objSD = objUser.Get("nTSecurityDescriptor") Set objDACL = objSD.DiscretionaryAcl
For Each Ace In objDACL If ((Ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _ (LCase(Ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then blnEnabled = True End If Next
If blnEnabled Then WScript.Echo "The user cannot change his or her password." Else WScript.Echo "The user can change his or her password." End If