Re: Set Account Expiration Date for group in domain.

On 16 , 18:36, "Richard Mueller [MVP]" <rlmueller-
nos...@xxxxxxxxxxxxxxxxxxxx> wrote:
"Igor" <grebenshchi...@xxxxxxxx> wrote in message

news:1187269466.245454.45140@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx



On 15 , 17:28, "Richard Mueller [MVP]" <rlmueller-
nos...@xxxxxxxxxxxxxxxxxxxx> wrote:
Igor wrote:
I`m working with Active Directory on Windows Server 2003. All AD users
are members of group_1.
Some of the users are members of group_2 and other users are members
of group_3.
Group_2 and group_3 entering(?) in OU Groups_names.
I want to have each user from group_3 get disabled his account every 3
month (regardless of creatin date).
For example 9/10/2007, 12/10/2007, 3/10/2008, 6/10/2008, 9/10/2008,
12/10/2008, 3/10/2009, etc.
And all users of of the group_3 recive same message (For example: "Hi
All") on his desktop 5 days before account
expiration date. If any user account has attribute "Never Expires",
than this user will not recive message and to him the attribute
"AccountExpirationDate" will not vary.
It`s can be done with vbscript.
It is possible?

I think you mean password expiration date rather than account expiration
date. An account can have only one expiration date, after which the
account
cannot be used, unless someone changes the expiration date to a later
date.

You can only assign a maximum password age to the entire domain. This
policy
applies to all users (if their passwords expire). You cannot specify that
passwords expire on a specified date.

Assuming you want passwords to expire on specified dates, the only
solution
would be to run a script on the specified date that expires the passwords
(for all users in the group). You would do this by assigning the value 0
to
the pwdLastSet attribute. If you wanted to notify users 5 days before,
this
would also have to be done with a script that runs on that day.

Note also, that if a user changes their password 2 days before you run
your
script to expire the passwords, they will have to change their password
again. This would encourage people to never change their password until
it
expires. A far better solution is to assign 30 days to maxPwdAge
attribute
of the domain.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--

Hello, Richard!

Not. I mean account expiration day. And i changes manually the
expiration date to new date after user account is blocked. I want
users coming to me and singing in the journal. This is really
nescessary. Blocking of users will force them come to me.

This is not easy. If you run a script once every 3 months to change the
account expiration dates, the script cannot know who has made contact with
you and done whatever is necessary. It will adjust all expiration dates even
for users that did not come to you. What you need is a script you run when
each users comes to you. These people don't want to wait for days for some
scheduled script to run. If someone is on vacation for 2 weeks, they may
come to 10 days after expiration. Their account needs to be readjusted at
that time. It's almost easier to do this manually in ADUC.

A script to change the account expiration date for one user could be similar
to below. This example accepts the NT name of a user (the pre-Windows 2000
logon name) as a parameter. It assumes a window in which users may start to
request a reset for their accounts. Any date from the first of the month
before the end if the quarter is considered a request for the next quarter.
That is, if the user is reset on 8/31/2007, the new expiration date is
9/10/2007. But if the user is reset on 9/1/2007, the new expiration date is
12/10/2007.
================
Option Explicit

Dim strUserNTName, objRootDSE, strDNSDomain
Dim objTrans, strNetBIOSDomain, strUserDN, objUser
Dim intMonth, intYear, dtmExpire

' Constants for the NameTranslate object.
Const ADS_NAME_INITTYPE_GC = 3
Const ADS_NAME_TYPE_NT4 = 3
Const ADS_NAME_TYPE_1779 = 1

' Request user sAMAccountName.
strUserNTName = Trim(InputBox("Enter User NT Logon Name", "Reset Account"))
If (strUserNTName = "") Then
Wscript.Echo "Program aborted"
Wscript.Quit
End If

' Retrieve DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE";)
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Convert DNS domain name to NetBIOS domain name.
Set objTrans = CreateObject("NameTranslate")
objTrans.Init ADS_NAME_INITTYPE_GC, ""
objTrans.Set ADS_NAME_TYPE_1779, strDNSDomain
strNetBIOSDomain = objTrans.Get(ADS_NAME_TYPE_NT4)
' Remove trailing backslash.
strNetBIOSDomain = Left(strNetBIOSDomain, Len(strNetBIOSDomain) - 1)

' Convert user NT name to Distinguished Name.
' Trap error if user not found.
On Error Resume Next
objTrans.Set ADS_NAME_TYPE_NT4, strNetBIOSDomain & "\" & strUserNTName
If (Err.Number <> 0) Then
On Error GoTo 0
Wscript.Echo "User " & strUserNTName & " not found"
Wscript.Quit
End If
On Error GoTo 0
strUserDN = objTrans.Get(ADS_NAME_TYPE_1779)

' Bind to user object.
On Error Resume Next
Set objUser = GetObject("LDAP://"; & strUserDN)

' Calculate new expiration date based on todays date.
intMonth = Fix(Month(Now()) / 3)
intYear = Year(Now())
If (intMonth = 4) Then
intMonth = 0
intYear = intYear + 1
End If
intMonth = (intMonth + 1) * 3

dtmExpire = DateSerial(intYear, intMonth, 10)

objUser.AccountExpirationDate = dtmExpire
objUser.SetInfo

Wscript.Echo "Account Expiration Date set to " & CStr(dtmExpire)

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab -http://www.rlmueller.net
--


Thanks! But it a little not that is necessary. And if to make, for
example, so. I have established manually the account expiration date
on 9/10/2007 for all users in group Group_3. When they to me come, I
it manually change date on 12/10/2007 and so on each 3 months. How to
me to send messages (For example: You account expire in (?) day!) to
all users of group Group_3 from OU Grops_names each 3 months, within a
week up to account expiration date? But Thus, those users at whom I
have already replaced account expiration date on new, should cease to
receive the message . It is possible?

.

Relevant Pages

  • Re: Force password reset for administrator
    ... My script is in fact doing the same as yours. ... Is also required to set the password reset bit. ... logf.WriteLine(" Set administrator account to password changed after next ... expired, your code would configure so passwords no longer expire. ...
    (microsoft.public.scripting.vbscript)
  • Re: Set Account Expiration Date for group in domain.
    ... I want to have each user from group_3 get disabled his account every 3 ... I think you mean password expiration date rather than account expiration ... applies to all users (if their passwords expire). ... would also have to be done with a script that runs on that day. ...
    (microsoft.public.windows.server.scripting)
  • Re: Set Account Expiration Date for group in domain.
    ... Some of the users are members of group_2 and other users are members ... I want to have each user from group_3 get disabled his account every 3 ... I think you mean password expiration date rather than account expiration ... applies to all users (if their passwords expire). ...
    (microsoft.public.windows.server.scripting)
  • Re: Set Account Expiration Date for group in domain.
    ... Some of the users are members of group_2 and other users are members ... I want to have each user from group_3 get disabled his account every 3 ... I think you mean password expiration date rather than account expiration ... applies to all users (if their passwords expire). ...
    (microsoft.public.windows.server.scripting)
  • Re: one time passwords
    ... >> expire within a certain time period. ... They can login as many times as ... >> if the account is expired as I never tried it. ... That script would have to run as root. ...
    (comp.unix.solaris)
Loading