[python-win32] Querying Password Change Privilege on an Active Directory User Ac count

Fri Jul 29 19:38:38 CEST 2005

I have a script that changes user passwords, and it throws exceptions then
executing the SetPassword() or SetInfo() commands on a AD user account that
it does not have "set password" privileges on. To avoid the exception being
thrown, I would like to have the script check whether or not it has
permission to change the password before trying to change it ( make sense?
), but I cannot find any good documentation on this after a few hours of
Googling for it. 

Do anyone have guidance ( or better yet, an answer ) on figuring out how to
implement this. 

here is a small snippet of the code I have now :

      adsuser = getADSUser( trans.adspath )#Retrieve a copy of the users AD
Account
      if ( adsuser ): 
         trans.email = adsuser.mail 
         trans.firstname = adsuser.givenName
         trans.lastname = adsuser.sn
         trans.displayname = adsuser.displayname
         #trans.pwdLastChanged1 = adsuser.PasswordLastChanged
         #trans.pwdLastChanged1 = time.strftime( "%Y-%m-%d %H:%M:%S",
time.gmtime( adsuser.PasswordLastChanged ) )
         trans.pwdLastChanged1 = str( adsuser.PasswordLastChanged ) 
         error = NewPassword( trans  )
         if ( not error ):
            if (  validEmail( trans.email )  ):
               try:
                  print "new password is %s" % trans.password
                  adsuser.SetPassword( trans.password  ) 
                  #x=1
                  #adsuser.SetInfo()
                  print "Password change successful. %s"  % trans.username
               except pythoncom.com_error, error:
                  #print "Password change failed. for %s" % trans.username 
                  return "Set Password failure. COM Error:%s" % str( error )
               except Exception, error:
                  return "Set Password failure. General Error:%s" %
str(error)   
               try:
                  adsuser = None
                  adsuser = getADSUser( trans.adspath ) #Retrieve a copy of
the users AD Account
                  trans.pwdLastChanged2 = str( adsuser.PasswordLastChanged )

               except:
                  return "Password change verification failure - Unable to
retrieve PasswordLastChanged Timestamp after changing the password." % (
trans.pwdLastChanged1,trans.pwdLastChanged2 )

               if ( trans.pwdLastChanged1 == trans.pwdLastChanged2  ):
                   return "Password change verification failure -
PasswordLastChange Value did not change after executing the SetPassword
Command.Before:%s Date After Date:%s" % (
trans.pwdLastChanged1,trans.pwdLastChanged2 )
               else:
                   #print "Password change verification success -
PasswordLastChange Value did change after executing the SetPassword
Command.Before:%s Date After Date:%s" % (
trans.pwdLastChanged1,trans.pwdLastChanged2 )
                   return None

Thank You, 

John A. Gooch 
"May the Python-force be with you...always." 
Systems Administrator 
EchoStar Satellite L.L.C. 
Desk: 720-514-5708 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/python-win32/attachments/20050729/6b57345e/attachment.htm