Re: password never expires script

You can not use block inheritance to keep password/account policy from being
applied to domain users. You can however configure the accounts with
password never expires if that works for you. If you have a Windows 2003
domain controller you can do all the user accounts at one time by
highlighting them all, selecting properties - account. If you do not have a
Windows 2003 domain controller you can install adminpak for Windows 2003
[free download from MS] on an XP Pro domain computer, logon as a domain
administrator and use the Active Directory command line tools [VERY handy]
to do what you want using dsquery and piping the results to dsmod. Below is
an example of what command to use and what it shows. Of course you need to
substitute your domain name and OU name. You may have a problem if any
account is configured with must change password at next logon. But you
could use the same command below except substitute -mustchpwd no
or -pwdneverexpires yes and run that command first. --- Steve

F:\Documents and Settings\administrator.UMBACH1.>dsquery user
OU=west,dc=umba
h1,dc=com | dsmod user -pwdneverexpires yes
dsmod succeeded:CN=john,OU=west,DC=umbach1,DC=com
dsmod succeeded:CN=joe,OU=west,DC=umbach1,DC=com
dsmod succeeded:CN=roger,OU=west,DC=umbach1,DC=com
dsmod succeeded:CN=fox,OU=west,DC=umbach1,DC=com
dsmod succeeded:CN=fred,OU=west,DC=umbach1,DC=com


"Jerome" <Jerome@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A605825A-39B7-42C9-8B14-DF3295C277C1@xxxxxxxxxxxxxxxx
> Hello,
>
> Due to a new merger in my org, some new users are not yet joined to the
> domain so they get no notification prior to when Group Policy applies
> password age policy on all users. This throws them out of exchange and I
> have
> to reset passwords for about 3000 users every 31 days (i have a vbs script
> for this).
>
> Due to company policy and security reasons, I don't want to disable the
> password age policy in GP. I moved all the new users to an OU and created
> a
> new GP for them then enabled "block inheritance" but I also want a script
> that will enable password never expires for these users.
>
> I checked the scripter page in technet but could not get the applicable
> LDAP
> script or ldifde, pls assist. <Exchange 2003 in Active Directory
> Environment>.
>


.

Relevant Pages

  • Re: AD 2000, Blank passwords, and Group Policy
    ... the original creator of these accounts set them to 'Password ... never expires' so that won't work for me. ... I'm going to have to use your suggestion of disabling the policy ... > file though you may want to post in a Windows scripting newsgroup for that You might ...
    (microsoft.public.win2000.security)
  • Re: Password Change Policy
    ... > You can set the password never expires attribute on the accounts services ... >> next logon" setting for multiple users at a single time? ... It will affect all accounts except ... >> setting up a password change policy. ...
    (microsoft.public.win2000.active_directory)
  • RE: Group Policy: multiple password policies in the same domain?
    ... > it under access to the GPO. ... The conflict only happens when both policies ... results in having the policy denied. ... > user accounts it affects be able to read it and have "apply ...
    (Focus-Microsoft)
  • Re: Password Policy Basics
    ... but assumed the POLICY would be applied to ALL ... so lcoal machines might start enforcing that policy on ... No, the local accounts are not effected by the domain policy, except you link the policy also to the OU like Florian states. ... I was thinking of service accounts on the servers... ...
    (microsoft.public.windows.group_policy)
  • Re: 2003 Group Policy Default Domain Policy
    ... password setting from never expires to password expires in 60 days and need ... Controllers will only process one password policy per domain, ... The password age is calculated by the maximum password age minus the ... If your concern is service accounts, set them to never expire as this ...
    (microsoft.public.win2000.group_policy)