Preventing a User Password Change

Applies To: Windows Server 2008 R2

This topic explains how to use the Active Directory module for Windows PowerShell to prevent a user from changing his or her password.


The following example demonstrates how to prevent the user JaneDow from changing her password.

Set-ADAccountControl -Identity JaneDow -CannotChangePassword $true

Additional information

You can use the following parameters when you set many of the common values that are associated with user account control in Active Directory Domain Services (AD DS).

  • -AllowReversiblePasswordEncryption

  • -TrustedForDelegation

  • -PasswordNeverExpires

  • -AccountNotDelegated

  • -DoesNotRequirePreAuth

  • -TrustedToAuthForDelegation

  • -UseDESKeyOnly

  • -PasswordNotRequired

  • -CannotChangePassword

  • -Enabled

  • -HomedirRequired

  • -MNSLogonAccount

For a full explanation of the parameters that you can pass to Set-ADAccountControl, at the Active Directory module command prompt, type Get-Help Set-ADAccountControl –detailed, and then press ENTER.