Re: Change Pswrd at Next Log on


"Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx> wrote in
message news:uFywugh0IHA.6096@xxxxxxxxxxxxxxxxxxxxxxx

"BluesHead" <nospam@xxxxxxxxx> wrote in message
news:OxAWsEg0IHA.1772@xxxxxxxxxxxxxxxxxxxxxxx
Hi Folks,

I have a need to change all user accounts within a certain OU to "User
must change password at next logon"

I was hoping that some one of you may have a script that I could modify
that might perform this for me. I do know that wildcards for cn do not
work with DSMOD and that there may be a way to pipe in the cn from a
DSQUERY.

Not overly familiar with either comand so would appreciate any help with
this.

Many thanks in advance.

BluesHead.

You need to assign 0 to the pwdLastSet attribute for all users in the OU.
A VBScript example:
=====
Option Explicit
Dim objOU, objUser

' Bind to the OU object, using Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=West,dc=MyDomain,dc=com";)

' Filter on user objects.
objOU.Filter = Array("user")

' Enumerate users.
For Each objUser In objOU
' Expire the password.
objUser.pwdLastSet = 0
' Save changes.
objUser.SetInfo
Next
======
You can also use Joe Richards' free command line utilities, adfind and
admod, for this. I think the syntax would be (watch line wrapping, this is
one line):

adfind -b "ou=West,dc=MyDomaind,dc=com" -f
"(&(objectCategory=person)(objectClass=user))" -dsq | admod
"pwdLastSet::0"

Check the syntax on his web site and download the tools:

http://www.joeware.net/freetools/index.htm

Something similar might be possible with dsquery and dsmod. If so, you
must pipe the Distinguished Names (DN's) of all users in the OU from
dsquery to dsmod. The filter will be the same,
"(&(objectCategory=person)(objectClass=user))", the base will be the DN of
the OU. Again, the attribute is pwdLastSet and you want to assign 0 to
expire the password.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--



I think the syntax for this task using dsquery / dsmod would be:

dsquery user "ou=West,dc=MyDomain,dc=com" | dsmod user -mustchpwd yes

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: Change Pswrd at Next Log on
    ... You can also use Joe Richards' free command line utilities, ... I think the syntax would be (watch line wrapping, ... Something similar might be possible with dsquery and dsmod. ...
    (microsoft.public.win2000.active_directory)
  • Re: Change "Password Never Expires" In AD for all users
    ... Use DSQUERY to select the users you want, and then pipe them into DSMOD. ... Use of included script samples are subject to the terms ... I have got the Domain Policy setup. ...
    (microsoft.public.windows.server.general)
  • Re: Group password reset
    ... You can use dsquery to pipe the results to dsmod. ... best to try out on a couple test accounts first. ...
    (microsoft.public.security)
  • Re: AD Tool?
    ... 2003 you can logon to that computer as a domain admin ... You can pipe the results from dsquery over to dsmod to find and change a group ... > Does anyone know of a good AD tool to configure multiple users at the same ...
    (microsoft.public.win2000.group_policy)
  • DSQUERY
    ... what is the syntax to have dsquery show me users who have not logged on for ... And how to output to a file excel can read? ... Will it check every domain controller? ...
    (microsoft.public.windows.server.active_directory)
Quantcast