Re: Force password Expiration to 5 days

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Richard Mueller [MVP]" <rlmueller-nospam@xxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 16 Nov 2007 14:55:25 -0600

---

Sonny wrote:

We currently have password expiration policy set to 120 days. Due to new
stringent password complexity requirements, i need to force users to
change
their passwords. When users login to AD, they should get a prompt that
says
you have 5 days to change your password before you password expires?

Cannot be done, except maybe using third party tools. You can send a message
to everyone stating that they will need to change their passwords in 5 days.
Then when the day arrives you can run a script or program that either:

1. Expires everyones password, by setting pwdLastSet to 0.
2. Expires all passwords that have not been changed in the last 5 days.

Option 2 seems preferable, assuming the password complexity requirement is
already in place so the passwords changed in the last 5 days meet your
requirements.

You can use ADO in a VBScript program to retrieve the Distinguished Names of
all users where the pwdLastSet attribute of the user corresponds to a date
more than 5 days in the past. The pwdLastSet attribute is Integer8, a 64-bit
number representing a date (in UTC) as the number of 100-nanosecond
intervals since 12:00 AM 1/1/1601. I have a VBScript program that converts
any date/time (in the time zone of the local computer) to the corresponding
Integer8 value linked here:

http://www.rlmueller.net/Programs/DateToInteger8.txt

For example, in my time zone the date/time 11/16/2007 12:00 AM corresponds
to:

128396664000000000

A filter to retrieve all users that have not change their password since
that date would be:

(&(objectCategory=person)(objectClass=user)(pwdLastSet<=128396664000000000))

Tips on using ADO to retrieve information from AD in a VBScript program are
here:

http://www.rlmueller.net/ADOSearchTips.htm

You would retrieve the value of the distinguishedName for all users that
satisfy the filter, then bind to each user and set pwdLastSet to 0, which
expires the password, and invoke the SetInfo method of the user object. The
complete VBScript program (to be run 5 days from 11/16/2007, assuming you
email all users today) could be:
=================
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser



' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection



' Search entire Active Directory domain.

Set objRootDSE = GetObject("LDAP://RootDSE";)

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://"; & strDNSDomain & ">"


' Filter on users that have not changed their password

' since 11/16/2007 12:00 AM.
strFilter = "(&(objectCategory=person)(objectClass=user)" _

& "(pwdLastSet<=128396664000000000)"



' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"



' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False



' Run the query.
Set adoRecordset = adoCommand.Execute


' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

' Retrieve values and display.
strDN = adoRecordset.Fields("distinguishedName").Value

' Bind to the user object.

Set objUser = GetObject("LDAP://"; & strDN)

' Expire the password.

objUser.pwdLastSet = 0

' Save change.

objUser.SetInfo

' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop



' Clean up.

adoRecordset.Close

adoConnection.Close


--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--


.

---

• Follow-Ups:
  • Re: Force password Expiration to 5 days
    • From: Sonny

• Prev by Date: Re: Script that shows prmary DNS
• Next by Date: Re: Scheduled script problem
• Previous by thread: Scheduled script problem
• Next by thread: Re: Force password Expiration to 5 days
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Force password Expiration to 5 days ... Then when the day arrives you can run a script or program that either: ... Expires everyones password, ... I have a VBScript program that converts ... A filter to retrieve all users that have not change their password since ... (microsoft.public.windows.server.scripting) Re: get ad user list ... that their account was created and the last time their password was ... You can use ADFind to retrieve these, available on Joe Richard's web site: ... W2k3 functional level, you must use the lastLogon attribute, which is also ... You can also use ADO in a VBScript program to retrieve these attribute ... (microsoft.public.windows.server.scripting) Re: List all users with Password Never Expires ... way to generate a report of all users with 'Password Never Expires' set on ... their user account. ... There been other occasions in the past when the ability to report on the ... retrieve information from AD: ... (microsoft.public.windows.server.active_directory) Re: Automatically disable User Accounts that havent logged in for 90 days ... I have a sample VBScript program that retrieves the lastLogon value for all ... The program uses ADO to retrieve all Domain Controllers, ... (microsoft.public.windows.server.scripting)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.scripting  > 2007-11