Your network contains an Active Directory forest named contoso.com. The forest contains a single domain. The domain contains two domain controllers named DC1 and DC2 that run Windows Server 2012 R2. The domain contains a user named User1 and a global security group named Group1. You need to prevent User1 from changing his password. The solution must minimize administrative effort.
Which cmdlet should you run?
A . Add-AdPrincipalGroupMembership
B . Install-AddsDomainController
C . Install-WindowsFeature
D . Install-AddsDomain
E . Rename-AdObject
F . Set-AdAccountControl
G . Set-AdGroup
H . Set-User
Answer: F
Explanation:
The Set-ADAccountControlcmdlet modifies the user account control (UAC) values for an Active Directory user or computer account. UAC values are represented by cmdlet parameters.
CannotChangePassword
Modifies the ability of an account to change its password. To disallow password change by the account set this to $true. This parameter changes the Boolean value of the CannotChangePassword property of an account.
The following example shows how to specify the PasswordCannotChange parameter.
-CannotChangePassword $false
References:
http://technet.microsoft.com/en-us/library/ee617249.aspx
http://technet.microsoft.com/en-us/library/hh974723.aspx
http://technet.microsoft.com/en-us/library/hh974722.aspx