Force password expiry?

  • Thread starter Thread starter craigstern
  • Start date Start date
C

craigstern

Hi, was curious to find out if there is a way to perform two tasks,
those being:

1) Select users defined within a specific OU and expire their passwords

and

2) Select users who have their account set to "Password does not
expire" and and remove this setting.


Reason being is that we just implemented policy which states that we
must change our password every 90 days, I have already defined this in
the default domain policy but many users (at least 500 of them) have
"pssword does not expire" defined on their account.

Any ideas that will make my life easier :)

Thanks,
Craig.
 
Craig said:
Hi, was curious to find out if there is a way to perform two tasks,
those being:

1) Select users defined within a specific OU and expire their passwords

and

2) Select users who have their account set to "Password does not
expire" and and remove this setting.


Reason being is that we just implemented policy which states that we
must change our password every 90 days, I have already defined this in
the default domain policy but many users (at least 500 of them) have
"pssword does not expire" defined on their account.

Any ideas that will make my life easier :)

Hi,

VBScript programs can handle this. For task 1, bind to the OU, filter on
user objects, enumerate user objects. For each user, make sure it is not a
computer, assign 0 to the pwdLastSet attribute and save changes by invoking
the SetInfo of the user object. For example:
===============
Option Explicit
Dim objOU, objUser

Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")
' Filter on objects of class user, which includes
' both user and computer objects.
objOU.Filter = Array("user")
For each objUser In objOU
If (objUser.Class = "user") Then
objUser.pwdLastSet = 0
objUser.SetInfo
End If
Next
===============

Task 2 can use ADO to retrieve users where the userAccountControl attribute
has the ADS_UF_DONT_EXPIRE_PASSWD bit set. The ADO filter to retrieve all
such users would be:

strFilter = "(&(objectCategory=person)(objectClass=user)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=65536))"



ADO cannot be used to modify attributes, so the query would return the
distinguishedName of each user. You would enumerate the users found, bind to
each user object with the retrieved distinguishedName, retrieve
userAccountControl, Xor the value with the bit mask for
ADS_UF_DONT_EXPIRE_PASSWD to toggle the bit off, then save by invoking the
SetInfo method. For example:

==============

Option Explicit

Dim objCommand, objConnection, strBase, strFilter, strAttributes

Dim strQuery, objRecordset, strDN, objUser, lngFlag

Dim objRootDSE



Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000



' Setup ADO objects and connect to AD.

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection


' Retrieve DNS domain name.
Set objRootDSE = GetObject(LDAP://RootDSE)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Specify the base of the ADO query.
' We search the entire domain.
strBase = "<LDAP://" & strDNSDomain & ">"


' Specify the LDAP filter. This retrieves users configured

' so their password never expires.

strFilter = "(&(objectCategory=person)(objectClass=user)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=65536))"



' Specify the attribute values to retrieve.

strAttributes = "distinguishedName,userAccountControl"



' Construct the query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"



' Query AD.
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute


' Enumerate the recordset.
Do Until objRecordSet.EOF

' Retrieve distinguishedName.
strDN = objRecordSet.Fields("distinguishedName").Value

' Retrieve value of userAccountControl attribute.

lngFlag = objRecordset.Fields("userAccountControl").Value

' Bind to the user object.

Set objUser = GetObject("LDAP://" & strDN)

' Toggle bit for ADS_UF_DONT_EXPIRE_PASSWD so the bit is off.

lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD

' Save changes.

objUser.userAccountControl = lngFlag

objUser.SetInfo

objRecordSet.MoveNext
Loop



' Clean up.

objRecordset.Close

objConnection.Close

Set objUser = Nothing

Set objCommand = Nothing

Set objRecordset = Nothing

Set objConnection = Nothing

==============
 
Back
Top