Change password policy

  • Thread starter Thread starter Misaro
  • Start date Start date
M

Misaro

At this moment we have a domain with 300 users, no
password policy set so far, .Now we need to set a
password policy (minimun password 6 characters)

So, the problem is I need to find a way to do it
simultaneously on all users. On this way enforce all users
to change the password as soon as possible

Thanks any comments !
 
Misaro said:
At this moment we have a domain with 300 users, no
password policy set so far, .Now we need to set a
password policy (minimun password 6 characters)

So, the problem is I need to find a way to do it
simultaneously on all users. On this way enforce all users
to change the password as soon as possible
Click to expand...
Hi

The password complexity policy is a domain security policy that
will apply for all users at the same moment as you enable the
policy.

Then I would have used a script that expired all user's password
so they was forced to change password next time they log on.

If you need help with this script, say so, and describe your
environment.

1) Is this a NT4 or AD domain?

2) If AD, are the users in the same container/OU or in few or
spread around in many?

3) Will you need to "spare" some users, or is it OK to do this
on absolutely all users in the domain (and then you can eventually
undo the "User must change password at next logon" on a few users
using the admin GUI?
 
I need to apply it to all users in differents OU's at the
same time .you talked about an script I would like to find
it and if you can do it Explain me how may I use it ?

Thanks !!
 
If you have an XP Pro computer on the domain you can install Adminpak for
Windows 2003 on it, logon as domain admin [make sure computer is known
secure] and use the Active Directory tools such as dsquery and dsmod for
user to find users and set their accounts to require change password at next
logon. You can pipe the results of dsquery to dsmod. --- Steve

http://www.microsoft.com/windowsxp/...SXP/home/using/productdoc/en/dsquery_user.asp
http://www.microsoft.com/windowsxp/...OWSXP/home/using/productdoc/en/dsmod_user.asp

Examples
To find all computers that have been inactive for the last four weeks and
remove them from the directory, type:

dsquery computer -inactive 4 | dsrm

To find all users in the organizational unit
OU=Marketing,DC=Microsoft,DC=Com and add them to the Marketing Staff group,
type:

dsquery user OU=Marketing,DC=Microsoft,DC=Com | dsmod group "CN=Marketing
Staff,OU=Marketing,DC=Microsoft,DC=Com" -addmbr
To find all users with names starting with "Mike" and display their office
numbers, type:

dsquery user -name Mike* | dsget user -office
 
Misaro said:
I need to apply it to all users in differents OU's at the
same time .you talked about an script I would like to find
it and if you can do it Explain me how may I use it ?
Click to expand...
Hi

Put the VBScript below in a .vbs file and run it by double clicking on
it in Explorer. It will put out a message box for each OU it is about
to process (press OK to let the script continue).

You will need to create a text file with the OU paths where there are
users you want to expire the password for (update the path in the sFile
variable to correct path/name).

The text file with the OU list needs to be like this, each full OU path
on a seperate line:

OU=Spain,OU=Users
OU=Test,OU=Spain,OU=Users


The VBScript file:

'--------------------8<----------------------


Const OpenAsDefault = -2
Const FailIfNotExist = 0
Const ForReading = 1

sFile = "c:\scripts\OUList.txt"

Set oFSO = CreateObject("Scripting.FileSystemObject")

Set fFile = oFSO.OpenTextFile(sFile, ForReading, _
FailIfNotExist, OpenAsDefault)

aOUs = Split(fFile.ReadAll, vbNewLine)
fFile.Close

' Determine the DNS domain from the RootDSE object.
Set oRootDSE = GetObject("LDAP://RootDSE")
sDNSDomain = oRootDSE.Get("defaultNamingContext")

' verify that we can connect to all OUs before we start
' modifying the user objects
For Each sOU In aOUs
If sOU <> "" Then
On Error Resume Next
sLDAPPath = "LDAP://" & sOU & "," & sDNSDomain
Set oTargetOU = GetObject(sLDAPPath)
If Err.Number <> 0 Then

MsgBox "Quitting (no users changed), could not connect to path " _
& sLDAPPath, vbCritical + vbSystemModal, "Expire Password"
WScript.Quit
End If
End If
Next
On Error Goto 0

' start changing the user objects
For Each sOU In aOUs
If sOU <> "" Then
sLDAPPath = "LDAP://" & sOU & "," & sDNSDomain
MsgBox "About to enumerate users in path " & sLDAPPath, _
vbInformation + vbSystemModal, "Expire Password"
Set oTargetOU = GetObject(sLDAPPath)
oTargetOU.Filter = Array("user")
For Each oUser In oTargetOU
If Left(oUser.ObjectCategory, 9) = "CN=Person" Then
oUser.pwdLastSet = Clng(0)
' Save changes
oUser.SetInfo
End If
Next
End If
Next

MsgBox "Done!", vbInformation + vbSystemModal, "Expire Password"


'--------------------8<----------------------
 
Back
Top