Skip to main content

How to Prevent a User from Changing Their Password in Batch Script

In specific environments, such as kiosks, classroom labs, or for shared "Service Accounts", you may want to prevent users from changing their assigned password. This ensures that the administrator remains in total control of the credentials and prevents a single user from locking others out of a shared system. While you can toggle this in "Active Directory" or "Computer Management," a Batch script allows for instant application across multiple local or domain accounts. This guide explains how to use the net user command to lock down password privileges.

Why Prevent Password Changes?

  • Shared Kiosk Security: Ensuring that a public-facing account always uses the same, hard-coded credentials that are managed by IT.
  • Service Account Integrity: Preventing accidental password updates on background accounts that could break scheduled tasks or databases.
  • Training Lab Management: Keeping lab environments consistent by ensuring students don't change their account passwords during a session.
Local vs. Domain

The net user command targets the Local computer by default. In a professional network environment, you must add the /domain flag to push this setting to the centralized Active Directory database.

Method 1: Blocking Password Changes

The /passwordchg flag is the specific switch used to control a user's ability to update their own credentials.

@echo off
setlocal EnableExtensions

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set /p "USN=Username to restrict: "

if not defined USN (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

set "FOUND=0"

:: Check LOCAL user
net user "%USN%" >nul 2>&1
if %errorlevel% equ 0 (
    set "FOUND=1"
    set "MODE=local"
)

:: Optional: check DOMAIN user only if local failed
if "%FOUND%"=="0" (
    net user "%USN%" /domain >nul 2>&1
    if %errorlevel% equ 0 (
        set "FOUND=1"
        set "MODE=domain"
    )
)

if "%FOUND%"=="0" (
    echo [ERROR] User "%USN%" not found locally or in domain.
    pause
    exit /b 1
)

echo [INFO] User found in %MODE% account database.
echo [PROCESS] Locking password change permission for "%USN%"...

net user "%USN%" /passwordchg:no

if %errorlevel% equ 0 (
    echo [SUCCESS] User can no longer change their password.
    echo [NOTE] Admins can still reset it.
) else (
    echo [ERROR] Failed to update. Error code: %errorlevel%
)

pause
endlocal

Method 2: Restoring Password Privileges

If you want to allow the user to change their password again (the standard setting), set the flag to yes.

@echo off
setlocal

:: Check for admin rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] Administrator privileges are required.
    pause
    exit /b 1
)

set /p "USN=Username to unrestrict: "

if "%USN%"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

echo [PROCESS] Restoring password permissions for "%USN%"...

net user "%USN%" /passwordchg:yes

if %errorlevel% equ 0 (
    echo [SUCCESS] User now has the right to change their password.
) else (
    echo [ERROR] Failed to update. Code: %errorlevel%
)
pause

Creating a Specialized "Account Lockdown" Script

This professional script allows an administrator to quickly secure an account by both preventing password changes and ensuring the current password never expires, with full validation.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   Identity Privilege Lockdown Tool
echo ============================================================

:: 1. Verify Administrative Rights
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [CRITICAL] Admin privileges are REQUIRED.
    pause
    exit /b 1
)

:: 2. Get target account
set /p "TARGET=Account to Lockdown: "

if "!TARGET!"=="" (
    echo [ERROR] No account name entered.
    pause
    exit /b 1
)

:: Verify user exists
net user "!TARGET!" >nul 2>&1
if !errorlevel! neq 0 (
    echo [ERROR] User "!TARGET!" not found.
    pause
    exit /b 1
)

:: 3. Show current status
echo.
echo [CURRENT] Account status for "!TARGET!":
net user "!TARGET!" 2>nul | findstr /i /c:"Password changeable" /c:"Password expires" /c:"Account expires" /c:"Account active"
echo.

:: 4. Check for conflicting "must change" flag
net user "!TARGET!" 2>nul | findstr /i /c:"Password last set" | findstr /i /c:"must change" >nul 2>&1
if !errorlevel! equ 0 (
    echo [WARNING] This account currently has "Must change password at logon" set.
    echo [INFO] Clearing that flag first to avoid a login paradox...
    net user "!TARGET!" /logonpasswordchg:no >nul 2>&1
)

:: 5. Confirm before applying
set /p "CONFIRM=Lock down this account? (Y/N): "
if /i not "!CONFIRM!"=="Y" (
    echo [INFO] Cancelled. No changes made.
    pause
    exit /b 0
)

:: 6. Apply Lockdown Policies
echo [PROCESS] Configuring and locking "!TARGET!"...

:: /passwordchg:no = Block user from changing password
:: /expires:never  = Ensure account remains active
net user "!TARGET!" /passwordchg:no /expires:never >nul 2>&1

if !errorlevel! equ 0 (
    echo [SUCCESS] Account is now locked to its current credentials.
    echo.
    echo [VERIFY] Updated status:
    net user "!TARGET!" 2>nul | findstr /i /c:"Password changeable" /c:"Password expires" /c:"Account expires"
) else (
    echo [FAIL] Error updating account. Code: !errorlevel!
)

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

Users cannot lock their own account permissions. You must run your Batch script (and the CMD window) as an Administrator.

Conflict with "Must Change"

You cannot set logonpasswordchg:yes (Must Change) and passwordchg:no (Cannot Change) at the same time.

Wrong Way:

net user USN /logonpasswordchg:yes /passwordchg:no
:: This creates a paradox where the user MUST change it but CANNOT.
SEO and UX Tip

Advise your users that if they apply these commands together, the system will prevent the user from logging in entirely because they cannot satisfy both security requirements. Always ensure /logonpasswordchg is set to no before setting /passwordchg:no.

Best Practices for Account Security

  1. Use for Services: This is the "Gold Standard" for managing Service Accounts. Setting passwordchg:no ensures that the account remains stable even if someone gains temporary access to the session.
  2. Audit Regularly: Use a script to audit your "Kiosk" or "Shared" OUs to ensure no account has had their permissions accidentally restored.
  3. Document the Lock: Ensure the user knows they cannot change their password. If they try it via Ctrl+Alt+Del, they will receive a descriptive error: "Windows cannot change the password."
Administrator Override

Note that an Administrator can still change the password for a user who has been blocked from doing it themselves. The /passwordchg:no flag only restricts the User from performing the action.

Conclusion

Preventing a user from changing their password via Batch script is a powerful tool for maintaining stability and control in specialized Windows environments. By leveraging the net user utility to lock down credential privileges, you can ensure that your kiosks, services, and labs remain consistent and secure against unauthorized user modifications. This professional approach to identity management reduces troubleshooting overhead, simplifies shared-account administration, and provides a clear, automated mechanism for enforcing your organization's operational standards across the entire Windows network.

Table of Contents