Re: Script to set 'Password never expires' flag

From: Marsha (Marsha_at_discussions.microsoft.com)
Date: 11/22/04 

Date: Sun, 21 Nov 2004 20:09:03 -0800

Al,

Thanks for taking the time to respond and give some good advice. We're
running Win2k still. And i did restore into our test lab, but its giving the
same error in live. Yes, it would make sense just to set the 'password never
expires' for only the accounts that we never want to expire, but there is
politics behind this. Mgmt does not want to turn it on for everyone all at
once. We have to hold hands department by department, so that is the reason
for attempting to use this script. I'll keep trying and check into your
suggestions. if you think of anything else, please let me know.

Thanks!

"Al Mulnick" wrote:

> So if I follow you correctly, you're wanting to set all of the user
> passwords to never expire, apply the policy to the domain, then go back and
> de-select that check box one by one?
>
> Wouldn't it be better to select the ones that should never expire and let
> the rest of them follow the policy?
>
> Wouldn't it be better to use the ADU&C to do this? I'm assuming W2K3 which
> has the ability to select multiple users and modify that field. You won't
> be able to use search for this although you can select all you can see.
>
>
> If it's only one domain, then the script likely found the correct
> information so that may not be it. I had read it to mean that you had
> restored this in the lab and figured there may be other domains in your
> forest. But if this is a single-forest/single-domain then that's not it.j
>
> It may be that you want to drop back and use a different method if you still
> want to set all accounts to never expire. Start by getting the user DN's
> and then for each of them use dsmod user
> http://www.microsoft.com/windowsxp/home/using/productdoc/en/default.asp?url=/windowsxp/home/using/productdoc/en/dsmod_user.asp
>
> You'll see a nice explanation by Richard how this might work and even an
> example to get the DN's into a file. If you go that route, you can put them
> a file, then modify the file to be a cmd file and put the dsmod query around
> the DN on each line I would imagine.
>
> Just theory though. You could also use the dsquery tool to grab the DN of
> the users and then pipe it to the dsmod command. Keeps you from having to
> learn script.
>
>
>
> "Marsha" <Marsha@discussions.microsoft.com> wrote in message
> news:7FCC521F-F06E-4AD1-A2D9-4DD662208B45@microsoft.com...
> > Hi,
> >
> > The original requirement is to set the 'password never expires' flag for
> > all
> > users so that we can control the domain password policy's expiration
> > settings. The password policy will be turned on and we'll then control it
> > at
> > the user level. If you have a better suggestion, please let me know.
> > This
> > was the only way I could think of to not apply the password policy
> > expiration
> > settings all at once. There's only one domain, so its pretty
> > straightforward. Any help would be greatly appreciated.
> >
> > "Al Mulnick" wrote:
> >
> >> Marsha, what was the original requirement?
> >>
> >> You need to set all passwords to never expire for all users? Whatever
> >> for
> >> (test lab I assume)?
> >>
> >> How many domains are there? If more than one (root/child) you may want
> >> to
> >> short circuit the part about finding the naming context and hard code it
> >> to
> >> see if you get better results.
> >>
> >>
> >> Al
> >>
> >>
> >>
> >> "Marsha" <Marsha@discussions.microsoft.com> wrote in message
> >> news:119207E6-EADE-4E43-B006-B7C1B9FE48BD@microsoft.com...
> >> > Hi,
> >> > Well, 4 of the 5 were in the users container and the other one was one
> >> > of
> >> > my
> >> > collegues in a separate OU. I unchecked the box for all and ran the
> >> > script
> >> > again. This time, I got the 'server unwilling to process the request'
> >> > error
> >> > immediately. I agree with you, it seems to be a permissions issue. I
> >> > will
> >> > check the domain controller policies, etc. If you think of anything,
> >> > please
> >> > let me know.
> >> >
> >> > Thanks,
> >> > Marsha
> >> >
> >> > "Richard Mueller [MVP]" wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> I did a brief test (I developed the script months ago) and had no
> >> >> problem.
> >> >> The fact that the script appears to work for 5 users, then raises an
> >> >> error
> >> >> seems to indicate either a permission problem or a conflict with some
> >> >> other
> >> >> setting. I didn't want to change this setting for all my users, so
> >> >> perhaps
> >> >> there could also be some server issue.
> >> >>
> >> >> I also tested with a user that has "User must change password at next
> >> >> logon". You are not allowed to have both settings, but after the
> >> >> program
> >> >> ran, this user had "User must change password at next logon" unchecked
> >> >> and
> >> >> "Password never expires" checked.
> >> >>
> >> >> Can you tell which user object raised the error and compare this
> >> >> object
> >> >> with
> >> >> the ones that were modified successfully? Maybe you can see a
> >> >> difference.
> >> >>
> >> >> I'm still looking.
> >> >>
> >> >> --
> >> >> Richard
> >> >> Microsoft MVP Scripting and ADSI
> >> >> HilltopLab web site - http://www.rlmueller.net
> >> >> --
> >> >>
> >> >> "Marsha" <Marsha@discussions.microsoft.com> wrote in message
> >> >> news:1196E6AF-11AB-4F56-A33F-AD4CF6BA7C11@microsoft.com...
> >> >> > Thanks for the script. The only problem I'm having is a 'general
> >> >> > access
> >> >> > denied' error on the objuser.setinfo command in my test lab. The
> >> >> > only
> >> >> > information I am finding about this error is regarding IIS which I
> >> >> > am
> >> >> > not
> >> >> > running. If I attempt to run the script in my live environment, I
> >> >> > get
> >> >> 'The
> >> >> > server is unwilling to process the request'. The account I am using
> >> >> > to
> >> >> run
> >> >> > the script is a member of domain, enterprise, and schema admins. It
> >> >> appeared
> >> >> > to set about 5 accounts and then produced the server is unwilling to
> >> >> process
> >> >> > error above. Any ideas that I could try or settings I could check?
> >> >> >
> >> >> > "Richard Mueller [MVP]" wrote:
> >> >> >
> >> >> > > Marsha wrote:
> >> >> > >
> >> >> > > > Does anyone have a script that can set the 'Password Never
> >> >> > > > Expires'
> >> >> flag
> >> >> > > for
> >> >> > > > all users in the domain? I need to set the attribute for
> >> >> > > > everyone
> >> >> > > > and
> >> >> am
> >> >> > > not
> >> >> > > > very good at scripting. I can get it to work for a specific
> >> >> > > > user,
> >> >> > > > but
> >> >> I
> >> >> > > want
> >> >> > > > it to effect the whole domain.
> >> >> > >
> >> >> > > Hi,
> >> >> > >
> >> >> > > The script below uses ADO to retrieve the distinguishedName and
> >> >> > > userAccountControl attributes for all users in the domain. You
> >> >> > > "And"
> >> >> > > userAccountControl with a bit mask (ADS_UF_DONT_EXPIRE_PASSWD) to
> >> >> > > check
> >> >> if
> >> >> > > the bit is set. A non-zero result indicates the bit is set. In the
> >> >> > > code
> >> >> > > below, if the result is zero, we know the bit is not set, so the
> >> >> password
> >> >> > > can expire and we must set the bit. The bit is set by "Or'ing"
> >> >> > > userAccountControl with the bit mask. To modify the user you must
> >> >> > > bind
> >> >> to
> >> >> > > the user object, which is why distinguishedName is also retrieved.
> >> >> > >
> >> >> > >
> >> >> > > ' Program to set "Password never expires" for all users in a
> >> >> > > domain.
> >> >> > > Option Explicit
> >> >> > >
> >> >> > > Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
> >> >> > >
> >> >> > > Dim objRootDSE, strDNSDomain, objCommand, objConnection
> >> >> > > Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
> >> >> > > Dim strDN, lngFlag, objUser
> >> >> > >
> >> >> > > ' Determine DNS domain name.
> >> >> > > Set objRootDSE = GetObject("LDAP://RootDSE")
> >> >> > > strDNSDomain = objRootDSE.Get("defaultNamingContext")
> >> >> > >
> >> >> > > ' Use ADO to search Active Directory.
> >> >> > > Set objCommand = CreateObject("ADODB.Command")
> >> >> > > Set objConnection = CreateObject("ADODB.Connection")
> >> >> > > objConnection.Provider = "ADsDSOObject"
> >> >> > > objConnection.Open "Active Directory Provider"
> >> >> > > objCommand.ActiveConnection = objConnection
> >> >> > > strBase = "<LDAP://" & strDNSDomain & ">"
> >> >> > >
> >> >> > > ' Search for all users.
> >> >> > > strFilter = "(&(objectCategory=person)(objectClass=user))"
> >> >> > > strAttributes = "distinguishedName,userAccountControl"
> >> >> > > strQuery = strBase & ";" & strFilter & ";" & strAttributes &
> >> >> > > ";subtree"
> >> >> > > objCommand.CommandText = strQuery
> >> >> > > objCommand.Properties("Page Size") = 100
> >> >> > > objCommand.Properties("Timeout") = 30
> >> >> > > objCommand.Properties("Cache Results") = False
> >> >> > > Set objRecordSet = objCommand.Execute
> >> >> > >
> >> >> > > ' Enumerate all users.
> >> >> > > Do Until objRecordSet.EOF
> >> >> > > strDN = objRecordSet.Fields("distinguishedName")
> >> >> > > ' Check if password can expire.
> >> >> > > lngFlag = objRecordSet.Fields("userAccountControl")
> >> >> > > If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD) = 0 Then
> >> >> > > ' Flag not set. Password can expire. Bind to user and set
> >> >> > > flag.
> >> >> > > Set objUser = GetObject("LDAP://" & strDN)
> >> >> > > lngFlag = lngFlag Or ADS_UF_DONT_EXPIRE_PASSWD
> >> >> > > objUser.Put "userAccountControl", lngFlag
> >> >> > > objUser.SetInfo
> >> >> > > Wscript.Echo "User modified: " & strDN
> >> >> > > End If
> >> >> > > objRecordSet.MoveNext
> >> >> > > Loop
> >> >> > >
> >> >> > > ' Clean up.
> >> >> > > objConnection.Close
> >> >> > > Set objUser = Nothing
> >> >> > > Set objRootDSE = Nothing
> >> >> > > Set objCommand = Nothing
> >> >> > > Set objConnection = Nothing
> >> >> > > Set objRecordSet = Nothing
> >> >> > >
> >> >> > > --
> >> >> > > Richard
> >> >> > > Microsoft MVP Scripting and ADSI
> >> >> > > HilltopLab web site - http://www.rlmueller.net
> >> >> > > --
> >> >> > >
> >> >> > >
> >> >> > >
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>