Privision User must change password at next logon, if password changed, set password never expire

Privision User must change password at next logon, if password changed, set password never expire

Post by klam1041 » Sat, 04 Apr 2009 03:28:07


Hi All,

I am looking for help in being able to create a script that will
provision a specific OU of users. New users will be created with the
flag set for "User must change password at next logon". I can have the
script run weekly, to check if users in that OU has changed their
password, if so, than set their Password never expire".

The closest I found was this script
http://www.yqcomputer.com/

Any help will be much appreciated.
 
 
 

Privision User must change password at next logon, if password changed, set password never expire

Post by Richard Mu » Sat, 04 Apr 2009 05:17:30


To set "user must change password at next logon", assign 0 to the pwdLastSet
attribute. Thereafter any non-zero value means the password has been set at
least once. To assign the setting "password never expires" you set a bit of
the userAccountControl attribute, using the bit mask
ADS_UF_DONT_EXPIRE_PASSWD (with a hex value of &H10000).

If the users in the OU exist, configure to force password changes with code
similar to:
=========
' Bind to OU with Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

' Filter on users.
objOU.Filter = Array("user")

' Enumerate all users in the OU.
For Each objUser In objOU
' Expire password, so user must change password at next logon.
objUser.pwdLastSet = 0
' Save change.
objUser.SetInfo
Next
========
A script to run periodically to check if the password has been changed and
then set "password never expires" could be similar to:
========
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Bind to OU with Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

' Filter on users.
objOU.Filter = Array("user")

' Enumerate all users in the OU.
For Each objUser In objOU
' Check if password has been set.
If (objUser.pwdLastSet <> 0) Then
' Configure user so password never expires.
lngFlag = objUser.userAccountControl
lngFlag = lngFlag Or ADS_UF_DONT_EXPIRE_PASSWD
objUser.userAccountControl = lngFlag
objUser.SetInfo
End If
Next
=======
If you are creating users, and want to specify an initial password and
configure so the user must change it at first logon, the script to create
one user could be similar to below:
=========
' Bind to OU with Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

' Specify "Common Name" of new user (or prompt for this value).
strCN = "Jim Smith"

' Specify the "pre-Windows 2000 logon name" (or prompt for this value).
strNTName = "JSmith"

' Create the new user object.
Set objUser= objOU.Create("user", "cn=" & strCN)
' Assign mandatory attributes.
objUser.sAMAccountName = strNTName
' Save new object in AD.
objUser.SetInfo

' Assign initial password
objUser.SetPassword = "xZy$321#"

' Enable the user account.
objUser.AccountDisabled = False

' Expire the password.
objUser.pwdLastSet = 0

' Save changes.
objUser.SetInfo
=========
Or you might want to use an example VBScript program that creates users from
the information in an Excel spreadsheet linked here:

http://www.yqcomputer.com/

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.yqcomputer.com/
--

 
 
 

Privision User must change password at next logon, if password changed, set password never expire

Post by klam1041 » Sun, 05 Apr 2009 04:53:04

Richard,

Thank you for your help, I will give this a shot.