Change password at next logon without resetting password or using

Change password at next logon without resetting password or using

Post by QnJpYW4gRW » Fri, 11 Jan 2008 02:22:03


Greetings!

We had to dismiss two admin-level IT employees suddenly. They knew many end
user passwords at the company. Changing all of the admin passwords is no
problem, it's the end user passwords we're concerned about. Here is what we
want to accomplish:

- We want to force all users to change their passwords at the very next logon

We do already employ a GPO that governs Password Policy, and it works great.
Every 60 days users must change their passwords and the minimum age of a
password is 5 days. Password History remembers 3 passwords, so it's
difficult for them to use the same password over and over.

Now, however, we need everyone to change their passwords relatively
immediately. We've been instructed *NOT* to make this public knowledge by
sending a general email asking everyone to change their passwords, which
would be the easiest method. So, two questions come to mind:

1. If, in Active Directory, we use the "Reset Password" function, can we
leave the password fields blank but select the "User must change password at
next logon" and have the users' current passwords still work at the next
logon but have them still get prompted to immediately change their passwords?

2. Is there a way to force password changes *at next logon* using a
temporary GPO, and if so, how do we determine when all of the passwords have
been changed? There may be some employees who do not login for a week or
more, due to vacations and such.

I've done a little research but haven't found these answers yet, and I'm
pressed for time. I appreciate your assistance.

TIA
 
 
 

Change password at next logon without resetting password or using

Post by Richard Mu » Fri, 11 Jan 2008 04:21:50


You want to assign the value 0 (zero) to the pwdLastSet attribute of all
user objects. This expires the password so the user must change it the next
time they logon (if their passwords expire). You can use a script or a
command line utility, like csvde, to do this.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.yqcomputer.com/
--

 
 
 

Change password at next logon without resetting password or using

Post by Richard Mu » Fri, 11 Jan 2008 05:29:27

A VBScript program to expire the password for all users in an OU:
=============
' Bind to OU, using Distinguished Name of the OU.
Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

' Filter on user objects.
objOU.Filter = Array("user")

' Enumerate all users in OU.
For Each objUser In objOU
' Expire the password.
objUser.pwdLastSet = 0
objUser.SetInfo
Next
========
A VBScript program using ADO to retrieve the Distinguished Names of all
users, then bind to each user object and expire the password, would be:
===========
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser



' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection



' Search entire Active Directory domain.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"


' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"



' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"



' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False



' Run the query.
Set adoRecordset = adoCommand.Execute


' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

' Retrieve Distinguished Name.
strDN = adoRecordset.Fields("distinguishedName").Value

' Bind to the user object.

Set objUser = GetObject("LDAP://" & strDN)

' Expire the password.

objUser.pwdLastSet = 0

' Save changes.

objUser.SetInfo

' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop



' Clean up.

adoRecordset.Close

adoConnection.Close


--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.yqcomputer.com/