Re: removing the "password never expires" setting from LOCAL user (not Active Directory) accounts
From: Richard Mueller [MVP] (rlmueller-NOSPAM_at_ameritech.NOSPAM.net)
Date: 03/10/04
- Next message: Larry: "Re: Refresh the Desktop"
- Previous message: Robert Tafaro: "Printing Issues with ASP"
- In reply to: corn29_at_ no_spam excite.com: "Re: removing the "password never expires" setting from LOCAL user (not Active Directory) accounts"
- Next in thread: corn29_at_ no_spam excite.com: "Re: removing the "password never expires" setting from LOCAL user (not Active Directory) accounts"
- Reply: corn29_at_ no_spam excite.com: "Re: removing the "password never expires" setting from LOCAL user (not Active Directory) accounts"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 10 Mar 2004 11:23:37 -0600
Hi,
The code shouldn't set "User must change password at next logon". Perhaps
this was set before and masked by the "Password never expires" setting, or
the user never set their password.
In any case, you remove the "User must change password at next logon"
setting for a local user by assigning zero to the PasswordExpired attribute
exposed by the WinNT provider:
objLocalUser.Put "PasswordExpired", 0
objLocalUser.SetInfo
To set this flag, you assign the value 1.
Note that with the LDAP provider, you assign the value 0 to the pwdLastSet
attribute to expire the password, and -1 to reset this flag so the user must
change the password at next logon. It can be confusing.
-- Richard Microsoft MVP Scripting and ADSI HilltopLab web site - http://www.rlmueller.net -- "corn29@ no_spam excite.com" <corn29@excite.com> wrote in message news:216bf30e.0403100617.bda757b@posting.google.com... > Richard, > > Thanks for the help... I was originally getting errors that said the > ADS object was not available. That's why I thought it was a provider > problem. > > At any rate, here's what I have now: > > strMyComputer = "." > Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 > > Set objLocalComputer = GetObject("WinNT://" & strMyComputer) > objLocalComputer.Filter = Array("User") > > For Each objLocalUser In objLocalComputer > lngFlags = objLocalUser.Get("userFlags") > If (lngFlags And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then > lngFlags = lngFlags Xor ADS_UF_DONT_EXPIRE_PASSWD > objLocalUser.Put "userFlags", lngFlags > objLocalUser.SetInfo > End If > Next > > This does indeed remove the "Password never expires" option but it > places a check in the "User must change password at next logon" box. > I don't want that either!!! Is there simply anyway to just turn off > the password never expires option if it is set??? > > Thanks, > > --CW > > "Richard Mueller [MVP]" <rlmueller-NOSPAM@ameritech.NOSPAM.net> wrote in message news:<eA7V70hBEHA.3284@TK2MSFTNGP09.phx.gbl>... > > Hi, > > > > For this setting (password never expires), you can handle the userFlags > > attribute exposed by the WinNT provider in exactly the same way as you would > > handle the userAccountControl attribute exposed by the LDAP provider. The > > bit mask is also the same. For example, for one user: > > > > Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000 > > Set objUser = GetObject("WinNT://MyComputer/TestUser,user") > > lngFlags = objUser.Get("userFlags") > > If (lngFlags And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then > > lngFlags = lngFlags Xor ADS_UF_DONT_EXPIRE_PASSWD > > objUser.Put "userFlags", lngFlags > > objUser.SetInfo > > End If > > > > Note that you test a bit using the "And" operator (any non zero result means > > the bit is set), you set a bit with the "Or" operator, and you toggle a bit > > with the "Xor" operator. In this case, to un-set the bit, you must toggle > > it, but only if it is already set. You can modify this to loop through all > > local users. > > > > From the TechNet Script Center, this example does the opposite of what you > > want: > > > > http://www.microsoft.com/technet/community/scriptcenter/user/scrug115.mspx > > > > -- > > Richard > > Microsoft MVP Scripting and ADSI > > HilltopLab web site - http://www.rlmueller.net > > -- > > > > "corn29@ no_spam excite.com" <corn29@excite.com> wrote in message > > news:216bf30e.0403091255.722ee75c@posting.google.com... > > > Hello, > > > > > > I want to ensure the password never expires setting is removed from > > > LOCAL (Windows 2000 member servers and workstations) accounts. I've > > > looked through past posts and I see posts that talk about querying and > > > setting this property, and removing it from domain accounts... again, > > > I want to remove this setting from LOCAL accounts (I need to use the > > > WinNT provider and not the LDAP provider) > > > > > > If I'm talking about AD accounts, then I can simply check the value of > > > ADS_UF_DONT_EXPIRE_PASSWD (not equal to 0) and toggle the bit off with > > > Xor. Most of the examples out there deal with this type of a > > > solution... but I'm not using AD for this script. > > > > > > So I wrote this little script to work with local user accounts. I > > > don't have access to ADS_UF_DONT_EXPIRE_PASSWD with the provider I'm > > > using so I did a simple debug statement to print what the userflag > > > value for each account is. Then I simply said, > > > > > > If (the flags equals such and such value) then > > > go ahead and toggle the bit - skip the accounts if the bit is > > > already off, I don't want the Xor operator to mess with it! > > > > > > End If > > > > > > So here's my little ditty: > > > > > > Dim userFlagsValue > > > strMyComputer = "." > > > intCounter = 0 > > > > > > Set objLocalComputer = GetObject("WinNT://" & strMyComputer) > > > ' Get all the User accounts into an array > > > objLocalComputer.Filter = Array("User") > > > > > > ' Loop through every User in the array > > > For Each objLocalUser In objLocalComputer > > > > > > ' Get the flag value for the relational operator > > > ' Debugging determined that a checkbox = true is 459265, > > > ' while a same condition on a disabled account is 459267 > > > > > > userFlagsValue = objLocalUser.Get("UserFlags") > > > > > > ' Check to see if the bit for password never expire is set; > > > If userFlagsValue = 459265 Or userFlagsValue = 459267 Then > > > objLocalUser.Put "userFlags", objLocalUser.Get("UserFlags") > > > Xor &H10000 > > > objLocalUser.SetInfo > > > intCounter = intCounter + 1 > > > End If > > > Next > > > > > > ' Done > > > WScript.Echo intCounter & " Local Passwords Chnaged To Expire" > > > > > > > > > Obviously, my solution isn't very elegant (or at least I don't think > > > it is). Technet says this account property is not a simple true/false > > > setting, to get it's value one needs to use ADS_UF_DONT_EXPIRE_PASSWD. > > > But without having access to that, I'm believe I'm stuck with what I > > > have... Does anyone know a cleaner/better solution for > > > checking/setting/removing an account property for a local user > > > account? > > > > > > Thanks, > > > > > > --CW
- Next message: Larry: "Re: Refresh the Desktop"
- Previous message: Robert Tafaro: "Printing Issues with ASP"
- In reply to: corn29_at_ no_spam excite.com: "Re: removing the "password never expires" setting from LOCAL user (not Active Directory) accounts"
- Next in thread: corn29_at_ no_spam excite.com: "Re: removing the "password never expires" setting from LOCAL user (not Active Directory) accounts"
- Reply: corn29_at_ no_spam excite.com: "Re: removing the "password never expires" setting from LOCAL user (not Active Directory) accounts"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
