Vista - Privision User must change password at next logon, if passwordchanged, set password never expire

permalink · 04-02-2009

Hi All,

I am looking for help in being able to create a script that will
provision a specific OU of users. New users will be created with the
flag set for "User must change password at next logon". I can have the
script run weekly, to check if users in that OU has changed their
password, if so, than set their Password never expire".

The closest I found was this script
http://groups.google.com/group/micro...73f478f4e87e62

Any help will be much appreciated.

permalink · 04-02-2009

<klam10411@xxxxxx> wrote in message
news:cb17813d-ca20-440f-afa7-587db4cc4466@xxxxxx

Quote:

> Hi All,
>
> I am looking for help in being able to create a script that will
> provision a specific OU of users. New users will be created with the
> flag set for "User must change password at next logon". I can have the
> script run weekly, to check if users in that OU has changed their
> password, if so, than set their Password never expire".
>
> The closest I found was this script
> http://groups.google.com/group/micro...73f478f4e87e62
>
> Any help will be much appreciated.

To set "user must change password at next logon", assign 0 to the pwdLastSet
attribute. Thereafter any non-zero value means the password has been set at
least once. To assign the setting "password never expires" you set a bit of
the userAccountControl attribute, using the bit mask
ADS_UF_DONT_EXPIRE_PASSWD (with a hex value of &H10000).

If the users in the OU exist, configure to force password changes with code
similar to:
=========
' Bind to OU with Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

' Filter on users.
objOU.Filter = Array("user")

' Enumerate all users in the OU.
For Each objUser In objOU
' Expire password, so user must change password at next logon.
objUser.pwdLastSet = 0
' Save change.
objUser.SetInfo
Next
========
A script to run periodically to check if the password has been changed and
then set "password never expires" could be similar to:
========
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Bind to OU with Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

' Filter on users.
objOU.Filter = Array("user")

' Enumerate all users in the OU.
For Each objUser In objOU
' Check if password has been set.
If (objUser.pwdLastSet <> 0) Then
' Configure user so password never expires.
lngFlag = objUser.userAccountControl
lngFlag = lngFlag Or ADS_UF_DONT_EXPIRE_PASSWD
objUser.userAccountControl = lngFlag
objUser.SetInfo
End If
Next
=======
If you are creating users, and want to specify an initial password and
configure so the user must change it at first logon, the script to create
one user could be similar to below:
=========
' Bind to OU with Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

' Specify "Common Name" of new user (or prompt for this value).
strCN = "Jim Smith"

' Specify the "pre-Windows 2000 logon name" (or prompt for this value).
strNTName = "JSmith"

' Create the new user object.
Set objUser= objOU.Create("user", "cn=" & strCN)
' Assign mandatory attributes.
objUser.sAMAccountName = strNTName
' Save new object in AD.
objUser.SetInfo

' Assign initial password
objUser.SetPassword = "xZy$321#"

' Enable the user account.
objUser.AccountDisabled = False

' Expire the password.
objUser.pwdLastSet = 0

' Save changes.
objUser.SetInfo
=========
Or you might want to use an example VBScript program that creates users from
the information in an Excel spreadsheet linked here:

http://www.rlmueller.net/CreateUsers.htm

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

04-02-2009	#1 (permalink)
klam10411 n/a posts	Privision User must change password at next logon, if passwordchanged, set password never expire Hi All, I am looking for help in being able to create a script that will provision a specific OU of users. New users will be created with the flag set for "User must change password at next logon". I can have the script run weekly, to check if users in that OU has changed their password, if so, than set their Password never expire". The closest I found was this script http://groups.google.com/group/micro...73f478f4e87e62 Any help will be much appreciated.
My System Specs

04-02-2009	#2 (permalink)
Richard Mueller [MVP] n/a posts	Re: Privision User must change password at next logon, if password changed, set password never expire <klam10411@xxxxxx> wrote in message news:cb17813d-ca20-440f-afa7-587db4cc4466@xxxxxx Quote: > Hi All, > > I am looking for help in being able to create a script that will > provision a specific OU of users. New users will be created with the > flag set for "User must change password at next logon". I can have the > script run weekly, to check if users in that OU has changed their > password, if so, than set their Password never expire". > > The closest I found was this script > http://groups.google.com/group/micro...73f478f4e87e62 > > Any help will be much appreciated. To set "user must change password at next logon", assign 0 to the pwdLastSet attribute. Thereafter any non-zero value means the password has been set at least once. To assign the setting "password never expires" you set a bit of the userAccountControl attribute, using the bit mask ADS_UF_DONT_EXPIRE_PASSWD (with a hex value of &H10000). If the users in the OU exist, configure to force password changes with code similar to: ========= ' Bind to OU with Distinguished Name of OU. Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com") ' Filter on users. objOU.Filter = Array("user") ' Enumerate all users in the OU. For Each objUser In objOU ' Expire password, so user must change password at next logon. objUser.pwdLastSet = 0 ' Save change. objUser.SetInfo Next ======== A script to run periodically to check if the password has been changed and then set "password never expires" could be similar to: ======== Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 ' Bind to OU with Distinguished Name of OU. Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com") ' Filter on users. objOU.Filter = Array("user") ' Enumerate all users in the OU. For Each objUser In objOU ' Check if password has been set. If (objUser.pwdLastSet <> 0) Then ' Configure user so password never expires. lngFlag = objUser.userAccountControl lngFlag = lngFlag Or ADS_UF_DONT_EXPIRE_PASSWD objUser.userAccountControl = lngFlag objUser.SetInfo End If Next ======= If you are creating users, and want to specify an initial password and configure so the user must change it at first logon, the script to create one user could be similar to below: ========= ' Bind to OU with Distinguished Name of OU. Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com") ' Specify "Common Name" of new user (or prompt for this value). strCN = "Jim Smith" ' Specify the "pre-Windows 2000 logon name" (or prompt for this value). strNTName = "JSmith" ' Create the new user object. Set objUser= objOU.Create("user", "cn=" & strCN) ' Assign mandatory attributes. objUser.sAMAccountName = strNTName ' Save new object in AD. objUser.SetInfo ' Assign initial password objUser.SetPassword = "xZy$321#" ' Enable the user account. objUser.AccountDisabled = False ' Expire the password. objUser.pwdLastSet = 0 ' Save changes. objUser.SetInfo ========= Or you might want to use an example VBScript program that creates users from the information in an Excel spreadsheet linked here: http://www.rlmueller.net/CreateUsers.htm -- Richard Mueller MVP Directory Services Hilltop Lab - http://www.rlmueller.net --
My System Specs

Similar Threads
Thread	Forum
User Account Password - Change from Win RE	Tutorials
password to expire	General Discussion
change user password on remote computer	VB Script
Vista will not let Save User Password Appear when user name and password required - Connect to screen	Vista account administration
password expire	Vista account administration