Re: Forcing Users To Change Passwords

On Apr 5, 1:04 pm, RayRedSoxFan
<RayRedSox...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Thanks for the script, much appreciated. W

Just to be clear, with regards to this:

Also, each user account specifies that their password will never expire,
do I have to go change each of these user accounts? Or will some sort of
Group Policy override this?

If I uncheck the "password will nver expire" the Group Policy will take
effect, is that correct?

Also, I went into the Group Policy Object Editor ( Computer Configuration,
Windows Settings, Security Settings, Account Policies, Password Policies) and
I see where I can check that I want "Password Must Meet Complexity
Requirements"..where can I see those requirements defined? In other words, we
have a policy where it must be at least 7 characters (I see where that is
defined) but that also it must have at least one number and one special
character, where are those defined?

Thanks

So, does



"Richard Mueller [MVP]" wrote:

"Danny Sanders" <DSand...@xxxxxxxxxxxxxxx> wrote in message
news:uz6r0BvdHHA.284@xxxxxxxxxxxxxxxxxxxxxxx
AFAIK you have to remove that manually. You might be able to script it,
but I don't think there is a group policy covering this.

hth
DDS

If you have w2k3 you might be able to select all users and change this
setting for all. Otherwise, I have a scripting solution below:
==============
Option Explicit

Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, objUser, lngFlag

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search all of Active Directory.
strBase = "<LDAP://"; & strDNSDomain & ">"

' Filter on user objects that have password never expires flag set.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=65536))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Query Active Directory and return recordset.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the recordset.
Do Until adoRecordset.EOF
' Retrieve the attribute value.
strDN = adoRecordset.Fields("distinguishedName")
' Bind to the corresponding user object.
Set objUser = GetObject("LDAP://"; & strDN)
' Retrieve flags.
lngFlag = objUser.userAccountControl
' Toggle the bit for password never expires to turn it off.
lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
' Save the new value.
objUser.userAccountControl = lngFlag
' Save the change.
objUser.SetInfo
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--- Hide quoted text -

- Show quoted text -

Hi,

Microsoft's password complexity consists of 3 of the following
characters. Upper, lower, special character, and digit. Cannot
contain firstname, lastname, or display name attribute.
Any need to change that, you will have to look at third party filters
or create your own password filter

Good luck
Password Policy done right
www.specopssoft.com

.

Relevant Pages

  • Re: Forcing Users To Change Passwords
    ... Also, each user account specifies that their password will never expire, ... If I uncheck the "password will nver expire" the Group Policy will take ... ' Use ADO to search Active Directory. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access denied to Control Panel applets!
    ... You could also try running gpresult /z to get ... track it down if it is Group Policy related but it is not real user friendly ... it reports his user account in the OU you expect and compare his gpresult ... that much - nothing for the control panel etc... ...
    (microsoft.public.windowsxp.security_admin)
  • RE: Restrict logon hours
    ... Change Logon Times for a User Account ... Edit the user account properties by using the net user command. ... Enforce Logon Time Restrictions Using Group Policy ...
    (microsoft.public.win2000.group_policy)
  • RE: Group policy not applied
    ... If you logon this workstation with another regular user, does the GPO ... click to check the "Hide All Microsoft Services" ... problematic user account in the same OU with the good user account. ... | Thread-Topic: Group policy not applied ...
    (microsoft.public.windows.server.sbs)
  • Re: Access denied to Control Panel applets!
    ... GPO's - making sure to refresh and running gpresult to see which OU it said ... must be a huge f_ck up in active directory group policy - wherever it stores ... indicate a GP is applying those restrictions to his user account. ... that much - nothing for the control panel etc... ...
    (microsoft.public.windowsxp.security_admin)