Re: Set "Password never expires" on users in a specific OU?

---

• From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 21 Jan 2008 14:31:41 -0600

---

You should not assign values directly to the userAccountControl attribute.
You should instead set or toggle the one bit of this integer for the setting
you want, so you don't mess up the other settings. Also, to remove the
setting "User must change password at next logon" you should assign -1 to
the attribute pwdLastSet. Assigning 0 (zero) expires the password so the
user must change it the next time they logon on.

If you several OU's you can place their Distinguished Names in an array.
Perhaps:
============
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Place Distinguished Names of OU's in an array.
arrOUs = Array("ou=Sales,ou=West,dc=MyDomain,dc=com", _
"ou=Engr,ou=West,dc=MyDomain,dc=com", _
"ou=Acctg,ou=West,dc=MyDomain,dc=com", _
"ou=East,dc=MyDomain,dc=com")

' Enumerate the OU's in the array.
For Each strOU In arrOUs
' Bind to the OU.
Set objOU = GetObject("LDAP://"; & strOU)
' Filter on user objects.
objOU.Filter = Array("user")

' Enumerate all users in the OU.
For Each objUser In objOU
' Assume no changes made to user, unless noted below.
blnChanged =False
' Retrieve userAccountControl value.
lngFlag = objUser.userAccountControl
' Check if ADS_UF_DONT_EXPIRE_PASSWD set.
' When you And a bit mask with userAccountControl, any non-zero
' result means the bit is set. A zero result means the bit is not
set.
If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD = 0) Then
' Set the ADS_UF_DONT_EXPIRE_PASSWD bit.
lngFlag = lngFlag Or ADS_UF_DONT_EXPIRE_PASSWD
objUser.userAccountControl = lngFlag
' Flag that a change was made to this user.
blnChanged = True
End If
' Check if user must change password at next logon.
Set objPwdLastSet = objUser.pwdLastSet
If (objPwdLastSet.HighPart = 0) And (objPwdLastSet.LowPart = 0) Then
' Change so user does not need to change password at next logon.
objUser.pwdLastSet = -1
' Flag that a change was made to this user.
blnChanged = True
End If
' If a change made to this user, save changes.
If (blnChanged = True) Then
objUser.SetInfo
End If
Next
Next
============
I bothered to check if the settings needed to be changed and only changed
them if needed.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

<heintz.larry@xxxxxxxxx> wrote in message
news:4b317727-3141-4742-8f79-e8a0c72c8323@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Try this, I pieced this together from some other scripts I have....

Dim strDomainDN,strOU,strDomTokens,objUser,objgroup

strDomainDN = "abcd.local" 'Your AD Domain goes here
strOU = "OU NAME" 'The OU Name goes here

' Put the domain name into an ldap string.
strDomTokens = Split(strDomainDN, ".", -1, 1)
strDomainDN = Join(strDomTokens, ",dc=")
strDomainDN = "dc=" & strDomainDN

Set objgroup = GetObject("LDAP://ou="; + strOU + "," + strDomainDN)
objgroup.Filter = Array("User")
For Each objItem in objgroup
sDisplayname = objItem.givenName & " " & objItem.sn
'wscript.echo sDisplayname 'Uncomment start of line if you to see
text
Set objUser = getObject("LDAP://CN="; + sDisplayname + ",OU=" + strOU
+ "," + strDomainDN)
objUser.Put "userAccountControl", "512"
objUser.Put "pwdLastSet", 0 'Disable if you want the users to change
password at first login
Set objUser = nothing
Next
Set objgroup = Nothing

Larry
www.windowsadminscripts.com

On Jan 21, 11:53 am, Henrik <Hen...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi!

I'm looking for a script that will check the "Password never expires" and
uncheck the "User must change password at next logon" on all users in
specific OU:s, it will run once a week. I have only found scripts that
does
this for all users in a domain.

The environment is a 2003 Active Directory.

Anyone that has a good example?

Thanks,
Henrik

.

---

• References:
  • Re: Set "Password never expires" on users in a specific OU?
    • From: heintz.larry@xxxxxxxxx

• Prev by Date: Re: how to determine if program has crashed/hung?
• Next by Date: Re: Object oriented
• Previous by thread: Re: Set "Password never expires" on users in a specific OU?
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: No password expiration message/Cant change password ... Default Domain Policy: Local policies-security options: All that shows ... Policy: Network Security: Force logoff when logon hours expire. ... At first I get a Must Change Password notice, Click Change Password, get ... > Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) Re: Force PW change with notice ... Domain accounts and a very large number of mobile users. ... > 'Change password at next logon is no good' as it doesn't provide enough ... Hi Navigato, ... cant "logon using dial up networking") when the password expires they cannot ... (microsoft.public.security) RE: ADMT - password questions ... > I understand that you want to disable the "User Must Change password at ... > next logon" option when using ADMT to migrate user account with password. ... The preferred solution is to use a registry key to control ... > 2 - more secure behavior, client can''t use OWF password change API. ... (microsoft.public.windows.server.migration) User must change password at next logon ... the "User must change password at next logon" ... PasswordLastChanged is a derrivative of pwdLastSet. ... When I graphically view some accounts ... (microsoft.public.windows.server.scripting) RE: OWA 2003 change password / force at next logon is broken ... Microsoft Exchange Server 2003 Enterprise Edition ... You are unable to logon to OWA. ... OWA 2003 change password / force at next logon is broken ... (microsoft.public.exchange.admin)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Scripting  > microsoft.public.scripting.vbscript  > 2008-01