Re: instituting ad password policy


"Danny Sanders" <DSanders@xxxxxxxxxxxxxxx> wrote in message
news:e6z4J0teHHA.5052@xxxxxxxxxxxxxxxxxxxxxxx
However you implement the password policy the user disruption will be the
same.

. Disable the password never expires option

Either script this or do it manually. Users will not notice this.

A script I have used to remove the "password never expires" setting for all
users:
=================
Option Explicit

Dim objRootDSE, strDNSDomain, adoCommand, adoConnection
Dim strBase, strFilter, strAttributes, strQuery, adoRecordset
Dim strDN, objUser, lngFlag

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search all of Active Directory.
strBase = "<LDAP://"; & strDNSDomain & ">"

' Filter on user objects that have password never expires flag set.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=65536))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Query Active Directory and return recordset.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
Set adoRecordset = adoCommand.Execute

' Enumerate the recordset.
Do Until adoRecordset.EOF
' Retrieve the attribute value.
strDN = adoRecordset.Fields("distinguishedName")
' Bind to the corresponding user object.
Set objUser = GetObject("LDAP://"; & strDN)
' Retrieve flags.
lngFlag = objUser.userAccountControl
' Toggle the bit for password never expires to turn it off.
lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
' Save the new value.
objUser.userAccountControl = lngFlag
' Save the change.
objUser.SetInfo
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

Relevant Pages

  • Re: Force password Expiration to 5 days
    ... Then when the day arrives you can run a script or program that either: ... Expires everyones password, ... I have a VBScript program that converts ... A filter to retrieve all users that have not change their password since ...
    (microsoft.public.windows.server.scripting)
  • Re: Need assistance badly!
    ... I have tried cobbling together a script that does this, ... I would use ADO in a VBScript program to retrieve all users with the ... Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strName, strCN ... adoConnection.Open "Active Directory Provider" ...
    (microsoft.public.scripting.vbscript)
  • Re: Bulk unlock user accounts
    ... following script from some sample on the Microsoft site. ... It makes more sense to retrieve distinguishedName. ... Dim strDN, objUser ... ' Use ADO to search Active Directory. ...
    (microsoft.public.scripting.vbscript)
  • Re: Scripting newbie - Active Directory reporting of users/description
    ... Does any one have a sample script that looks at an Active Directory ... You can use ADO in a VBScript program to retrieve information about objects ...
    (microsoft.public.windows.server.scripting)
  • Re: Bulk unlock user accounts
    ... following script from some sample on the Microsoft site. ... It makes more sense to retrieve distinguishedName. ... Dim strDN, objUser ... ' Use ADO to search Active Directory. ...
    (microsoft.public.scripting.vbscript)
Loading