Re: Force password Expiration to 5 days

16/11/2007, 20h55

Sonny wrote:

> We currently have password expiration policy set to 120 days. Due to new
> stringent password complexity requirements, i need to force users to
> change
> their passwords. When users login to AD, they should get a prompt that
> says
> you have 5 days to change your password before you password expires?

Cannot be done, except maybe using third party tools. You can send a message
to everyone stating that they will need to change their passwords in 5 days.
Then when the day arrives you can run a script or program that either:

1. Expires everyones password, by setting pwdLastSet to 0.
2. Expires all passwords that have not been changed in the last 5 days.

Option 2 seems preferable, assuming the password complexity requirement is
already in place so the passwords changed in the last 5 days meet your
requirements.

You can use ADO in a VBScript program to retrieve the Distinguished Names of
all users where the pwdLastSet attribute of the user corresponds to a date
more than 5 days in the past. The pwdLastSet attribute is Integer8, a 64-bit
number representing a date (in UTC) as the number of 100-nanosecond
intervals since 12:00 AM 1/1/1601. I have a VBScript program that converts
any date/time (in the time zone of the local computer) to the corresponding
Integer8 value linked here:

http://www.rlmueller.net/Programs/DateToInteger8.txt

For example, in my time zone the date/time 11/16/2007 12:00 AM corresponds
to:

128396664000000000

A filter to retrieve all users that have not change their password since
that date would be:

(&(objectCategory=person)(objectClass=user)(pwdLas tSet<=128396664000000000))

Tips on using ADO to retrieve information from AD in a VBScript program are
here:

http://www.rlmueller.net/ADOSearchTips.htm

You would retrieve the value of the distinguishedName for all users that
satisfy the filter, then bind to each user and set pwdLastSet to 0, which
expires the password, and invoke the SetInfo method of the user object. The
complete VBScript program (to be run 5 days from 11/16/2007, assuming you
email all users today) could be:
=================
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser

' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on users that have not changed their password

' since 11/16/2007 12:00 AM.
strFilter = "(&(objectCategory=person)(objectClass=user)" _

& "(pwdLastSet<=128396664000000000)"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF

' Retrieve values and display.
strDN = adoRecordset.Fields("distinguishedName").Value

' Bind to the user object.

Set objUser = GetObject("LDAP://" & strDN)

' Expire the password.

objUser.pwdLastSet = 0

' Save change.

objUser.SetInfo

' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.

adoRecordset.Close

adoConnection.Close

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

16/11/2007, 22h12

We have around 5000 users in AD, and i wanted to work on the first batch of
users first, maybe 500, how do we run the script against those 500 users? Is
it possible to force users to change password(atleast 5 days) by tweaking the
PwdlastSet using ADSI edit,and thereby they get the message that "They have 5
days to change the password"
"Richard Mueller [MVP]" wrote:

> Sonny wrote:
>
> > We currently have password expiration policy set to 120 days. Due to new
> > stringent password complexity requirements, i need to force users to
> > change
> > their passwords. When users login to AD, they should get a prompt that
> > says
> > you have 5 days to change your password before you password expires?
>
> Cannot be done, except maybe using third party tools. You can send a message
> to everyone stating that they will need to change their passwords in 5 days.
> Then when the day arrives you can run a script or program that either:
>
> 1. Expires everyones password, by setting pwdLastSet to 0.
> 2. Expires all passwords that have not been changed in the last 5 days.
>
> Option 2 seems preferable, assuming the password complexity requirement is
> already in place so the passwords changed in the last 5 days meet your
> requirements.
>
> You can use ADO in a VBScript program to retrieve the Distinguished Names of
> all users where the pwdLastSet attribute of the user corresponds to a date
> more than 5 days in the past. The pwdLastSet attribute is Integer8, a 64-bit
> number representing a date (in UTC) as the number of 100-nanosecond
> intervals since 12:00 AM 1/1/1601. I have a VBScript program that converts
> any date/time (in the time zone of the local computer) to the corresponding
> Integer8 value linked here:
>
> http://www.rlmueller.net/Programs/DateToInteger8.txt
>
> For example, in my time zone the date/time 11/16/2007 12:00 AM corresponds
> to:
>
> 128396664000000000
>
> A filter to retrieve all users that have not change their password since
> that date would be:
>
> (&(objectCategory=person)(objectClass=user)(pwdLas tSet<=128396664000000000))
>
> Tips on using ADO to retrieve information from AD in a VBScript program are
> here:
>
> http://www.rlmueller.net/ADOSearchTips.htm
>
> You would retrieve the value of the distinguishedName for all users that
> satisfy the filter, then bind to each user and set pwdLastSet to 0, which
> expires the password, and invoke the SetInfo method of the user object. The
> complete VBScript program (to be run 5 days from 11/16/2007, assuming you
> email all users today) could be:
> =================
> Option Explicit
>
> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
>
> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
>
>
>
> ' Setup ADO objects.
>
> Set adoCommand = CreateObject("ADODB.Command")
> Set adoConnection = CreateObject("ADODB.Connection")
> adoConnection.Provider = "ADsDSOObject"
> adoConnection.Open "Active Directory Provider"
> adoCommand.ActiveConnection = adoConnection
>
>
>
> ' Search entire Active Directory domain.
>
> Set objRootDSE = GetObject("LDAP://RootDSE")
>
> strDNSDomain = objRootDSE.Get("defaultNamingContext")
> strBase = "<LDAP://" & strDNSDomain & ">"
>
>
> ' Filter on users that have not changed their password
>
> ' since 11/16/2007 12:00 AM.
> strFilter = "(&(objectCategory=person)(objectClass=user)" _
>
> & "(pwdLastSet<=128396664000000000)"
>
>
>
> ' Comma delimited list of attribute values to retrieve.
> strAttributes = "distinguishedName"
>
>
>
> ' Construct the LDAP syntax query.
> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
> adoCommand.CommandText = strQuery
> adoCommand.Properties("Page Size") = 100
> adoCommand.Properties("Timeout") = 30
> adoCommand.Properties("Cache Results") = False
>
>
>
> ' Run the query.
> Set adoRecordset = adoCommand.Execute
>
>
> ' Enumerate the resulting recordset.
> Do Until adoRecordset.EOF
>
> ' Retrieve values and display.
> strDN = adoRecordset.Fields("distinguishedName").Value
>
> ' Bind to the user object.
>
> Set objUser = GetObject("LDAP://" & strDN)
>
> ' Expire the password.
>
> objUser.pwdLastSet = 0
>
> ' Save change.
>
> objUser.SetInfo
>
> ' Move to the next record in the recordset.
> adoRecordset.MoveNext
> Loop
>
>
>
> ' Clean up.
>
> adoRecordset.Close
>
> adoConnection.Close
>
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
>

17/11/2007, 01h35

The only value you can assign to pwdLastSet is 0. I have never seen any way
to assign any other value.

If you are going to handle users in batches I see two options:

1. Deal with users one OU at a time. ADO can deal just with the users in one
OU (specify the DN of the OU as the Base of the query).
2. Place the 500 users in a group. You can write a script to enumerate the
members and deal with them. You can have one group for each block of users.

For example to expire the password for all users in a group:
==========
' Bind to the group, using the Distinguished Name of the group.
Set objGroup = GetObject("LDAP://cn=MyGroup,ou=West,dc=MyDomain,dc=com")

' Enumerate direct members of the group.
For Each objUser In objGroup.Members
' Check if the password was changed in the last five days.
If (DateDiff("d", objUser.PasswordLastChanged, Now()) > 5) Then
' Expire the password.
objUser.pwdLastSet = 0
objUser.SetInfo
End If
Next
========
Something similar could be done to notify all members of the group several
days before. I don't think there is any way to get the system to think the
password will expire in 5 days and so automatically warn the user.

Note that the PasswordLastChanged property method can only be used when you
bind to the object. It is not an attribute so it cannot be retrieved by ADO.
It is also read-only. However it is convenient because it converts the
Integer8 value to a date/time.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Sonny" <Sonny@discussions.microsoft.com> wrote in message
news:575C2834-9DBD-498C-86EF-6A12A6F6332B@microsoft.com...
> We have around 5000 users in AD, and i wanted to work on the first batch
> of
> users first, maybe 500, how do we run the script against those 500 users?
> Is
> it possible to force users to change password(atleast 5 days) by tweaking
> the
> PwdlastSet using ADSI edit,and thereby they get the message that "They
> have 5
> days to change the password"
> "Richard Mueller [MVP]" wrote:
>
>> Sonny wrote:
>>
>> > We currently have password expiration policy set to 120 days. Due to
>> > new
>> > stringent password complexity requirements, i need to force users to
>> > change
>> > their passwords. When users login to AD, they should get a prompt that
>> > says
>> > you have 5 days to change your password before you password expires?
>>
>> Cannot be done, except maybe using third party tools. You can send a
>> message
>> to everyone stating that they will need to change their passwords in 5
>> days.
>> Then when the day arrives you can run a script or program that either:
>>
>> 1. Expires everyones password, by setting pwdLastSet to 0.
>> 2. Expires all passwords that have not been changed in the last 5 days.
>>
>> Option 2 seems preferable, assuming the password complexity requirement
>> is
>> already in place so the passwords changed in the last 5 days meet your
>> requirements.
>>
>> You can use ADO in a VBScript program to retrieve the Distinguished Names
>> of
>> all users where the pwdLastSet attribute of the user corresponds to a
>> date
>> more than 5 days in the past. The pwdLastSet attribute is Integer8, a
>> 64-bit
>> number representing a date (in UTC) as the number of 100-nanosecond
>> intervals since 12:00 AM 1/1/1601. I have a VBScript program that
>> converts
>> any date/time (in the time zone of the local computer) to the
>> corresponding
>> Integer8 value linked here:
>>
>> http://www.rlmueller.net/Programs/DateToInteger8.txt
>>
>> For example, in my time zone the date/time 11/16/2007 12:00 AM
>> corresponds
>> to:
>>
>> 128396664000000000
>>
>> A filter to retrieve all users that have not change their password since
>> that date would be:
>>
>> (&(objectCategory=person)(objectClass=user)(pwdLas tSet<=128396664000000000))
>>
>> Tips on using ADO to retrieve information from AD in a VBScript program
>> are
>> here:
>>
>> http://www.rlmueller.net/ADOSearchTips.htm
>>
>> You would retrieve the value of the distinguishedName for all users that
>> satisfy the filter, then bind to each user and set pwdLastSet to 0, which
>> expires the password, and invoke the SetInfo method of the user object.
>> The
>> complete VBScript program (to be run 5 days from 11/16/2007, assuming you
>> email all users today) could be:
>> =================
>> Option Explicit
>>
>> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
>>
>> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
>>
>>
>>
>> ' Setup ADO objects.
>>
>> Set adoCommand = CreateObject("ADODB.Command")
>> Set adoConnection = CreateObject("ADODB.Connection")
>> adoConnection.Provider = "ADsDSOObject"
>> adoConnection.Open "Active Directory Provider"
>> adoCommand.ActiveConnection = adoConnection
>>
>>
>>
>> ' Search entire Active Directory domain.
>>
>> Set objRootDSE = GetObject("LDAP://RootDSE")
>>
>> strDNSDomain = objRootDSE.Get("defaultNamingContext")
>> strBase = "<LDAP://" & strDNSDomain & ">"
>>
>>
>> ' Filter on users that have not changed their password
>>
>> ' since 11/16/2007 12:00 AM.
>> strFilter = "(&(objectCategory=person)(objectClass=user)" _
>>
>> & "(pwdLastSet<=128396664000000000)"
>>
>>
>>
>> ' Comma delimited list of attribute values to retrieve.
>> strAttributes = "distinguishedName"
>>
>>
>>
>> ' Construct the LDAP syntax query.
>> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
>> adoCommand.CommandText = strQuery
>> adoCommand.Properties("Page Size") = 100
>> adoCommand.Properties("Timeout") = 30
>> adoCommand.Properties("Cache Results") = False
>>
>>
>>
>> ' Run the query.
>> Set adoRecordset = adoCommand.Execute
>>
>>
>> ' Enumerate the resulting recordset.
>> Do Until adoRecordset.EOF
>>
>> ' Retrieve values and display.
>> strDN = adoRecordset.Fields("distinguishedName").Value
>>
>> ' Bind to the user object.
>>
>> Set objUser = GetObject("LDAP://" & strDN)
>>
>> ' Expire the password.
>>
>> objUser.pwdLastSet = 0
>>
>> ' Save change.
>>
>> objUser.SetInfo
>>
>> ' Move to the next record in the recordset.
>> adoRecordset.MoveNext
>> Loop
>>
>>
>>
>> ' Clean up.
>>
>> adoRecordset.Close
>>
>> adoConnection.Close
>>
>>
>> --
>> Richard Mueller
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>>
>>

16/11/2007, 20h55	#1
Richard Mueller [MVP] Messages: n/a Hébergeur:	Re: Force password Expiration to 5 days Sonny wrote: > We currently have password expiration policy set to 120 days. Due to new > stringent password complexity requirements, i need to force users to > change > their passwords. When users login to AD, they should get a prompt that > says > you have 5 days to change your password before you password expires? Cannot be done, except maybe using third party tools. You can send a message to everyone stating that they will need to change their passwords in 5 days. Then when the day arrives you can run a script or program that either: 1. Expires everyones password, by setting pwdLastSet to 0. 2. Expires all passwords that have not been changed in the last 5 days. Option 2 seems preferable, assuming the password complexity requirement is already in place so the passwords changed in the last 5 days meet your requirements. You can use ADO in a VBScript program to retrieve the Distinguished Names of all users where the pwdLastSet attribute of the user corresponds to a date more than 5 days in the past. The pwdLastSet attribute is Integer8, a 64-bit number representing a date (in UTC) as the number of 100-nanosecond intervals since 12:00 AM 1/1/1601. I have a VBScript program that converts any date/time (in the time zone of the local computer) to the corresponding Integer8 value linked here: http://www.rlmueller.net/Programs/DateToInteger8.txt For example, in my time zone the date/time 11/16/2007 12:00 AM corresponds to: 128396664000000000 A filter to retrieve all users that have not change their password since that date would be: (&(objectCategory=person)(objectClass=user)(pwdLas tSet<=128396664000000000)) Tips on using ADO to retrieve information from AD in a VBScript program are here: http://www.rlmueller.net/ADOSearchTips.htm You would retrieve the value of the distinguishedName for all users that satisfy the filter, then bind to each user and set pwdLastSet to 0, which expires the password, and invoke the SetInfo method of the user object. The complete VBScript program (to be run 5 days from 11/16/2007, assuming you email all users today) could be: ================= Option Explicit Dim adoCommand, adoConnection, strBase, strFilter, strAttributes Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" adoCommand.ActiveConnection = adoConnection ' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("defaultNamingContext") strBase = "<LDAP://" & strDNSDomain & ">" ' Filter on users that have not changed their password ' since 11/16/2007 12:00 AM. strFilter = "(&(objectCategory=person)(objectClass=user)" _ & "(pwdLastSet<=128396664000000000)" ' Comma delimited list of attribute values to retrieve. strAttributes = "distinguishedName" ' Construct the LDAP syntax query. strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 100 adoCommand.Properties("Timeout") = 30 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Enumerate the resulting recordset. Do Until adoRecordset.EOF ' Retrieve values and display. strDN = adoRecordset.Fields("distinguishedName").Value ' Bind to the user object. Set objUser = GetObject("LDAP://" & strDN) ' Expire the password. objUser.pwdLastSet = 0 ' Save change. objUser.SetInfo ' Move to the next record in the recordset. adoRecordset.MoveNext Loop ' Clean up. adoRecordset.Close adoConnection.Close -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net --

16/11/2007, 22h12	#2
Sonny Messages: n/a Hébergeur:	Re: Force password Expiration to 5 days We have around 5000 users in AD, and i wanted to work on the first batch of users first, maybe 500, how do we run the script against those 500 users? Is it possible to force users to change password(atleast 5 days) by tweaking the PwdlastSet using ADSI edit,and thereby they get the message that "They have 5 days to change the password" "Richard Mueller [MVP]" wrote: > Sonny wrote: > > > We currently have password expiration policy set to 120 days. Due to new > > stringent password complexity requirements, i need to force users to > > change > > their passwords. When users login to AD, they should get a prompt that > > says > > you have 5 days to change your password before you password expires? > > Cannot be done, except maybe using third party tools. You can send a message > to everyone stating that they will need to change their passwords in 5 days. > Then when the day arrives you can run a script or program that either: > > 1. Expires everyones password, by setting pwdLastSet to 0. > 2. Expires all passwords that have not been changed in the last 5 days. > > Option 2 seems preferable, assuming the password complexity requirement is > already in place so the passwords changed in the last 5 days meet your > requirements. > > You can use ADO in a VBScript program to retrieve the Distinguished Names of > all users where the pwdLastSet attribute of the user corresponds to a date > more than 5 days in the past. The pwdLastSet attribute is Integer8, a 64-bit > number representing a date (in UTC) as the number of 100-nanosecond > intervals since 12:00 AM 1/1/1601. I have a VBScript program that converts > any date/time (in the time zone of the local computer) to the corresponding > Integer8 value linked here: > > http://www.rlmueller.net/Programs/DateToInteger8.txt > > For example, in my time zone the date/time 11/16/2007 12:00 AM corresponds > to: > > 128396664000000000 > > A filter to retrieve all users that have not change their password since > that date would be: > > (&(objectCategory=person)(objectClass=user)(pwdLas tSet<=128396664000000000)) > > Tips on using ADO to retrieve information from AD in a VBScript program are > here: > > http://www.rlmueller.net/ADOSearchTips.htm > > You would retrieve the value of the distinguishedName for all users that > satisfy the filter, then bind to each user and set pwdLastSet to 0, which > expires the password, and invoke the SetInfo method of the user object. The > complete VBScript program (to be run 5 days from 11/16/2007, assuming you > email all users today) could be: > ================= > Option Explicit > > Dim adoCommand, adoConnection, strBase, strFilter, strAttributes > > Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser > > > > ' Setup ADO objects. > > Set adoCommand = CreateObject("ADODB.Command") > Set adoConnection = CreateObject("ADODB.Connection") > adoConnection.Provider = "ADsDSOObject" > adoConnection.Open "Active Directory Provider" > adoCommand.ActiveConnection = adoConnection > > > > ' Search entire Active Directory domain. > > Set objRootDSE = GetObject("LDAP://RootDSE") > > strDNSDomain = objRootDSE.Get("defaultNamingContext") > strBase = "<LDAP://" & strDNSDomain & ">" > > > ' Filter on users that have not changed their password > > ' since 11/16/2007 12:00 AM. > strFilter = "(&(objectCategory=person)(objectClass=user)" _ > > & "(pwdLastSet<=128396664000000000)" > > > > ' Comma delimited list of attribute values to retrieve. > strAttributes = "distinguishedName" > > > > ' Construct the LDAP syntax query. > strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" > adoCommand.CommandText = strQuery > adoCommand.Properties("Page Size") = 100 > adoCommand.Properties("Timeout") = 30 > adoCommand.Properties("Cache Results") = False > > > > ' Run the query. > Set adoRecordset = adoCommand.Execute > > > ' Enumerate the resulting recordset. > Do Until adoRecordset.EOF > > ' Retrieve values and display. > strDN = adoRecordset.Fields("distinguishedName").Value > > ' Bind to the user object. > > Set objUser = GetObject("LDAP://" & strDN) > > ' Expire the password. > > objUser.pwdLastSet = 0 > > ' Save change. > > objUser.SetInfo > > ' Move to the next record in the recordset. > adoRecordset.MoveNext > Loop > > > > ' Clean up. > > adoRecordset.Close > > adoConnection.Close > > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > >

17/11/2007, 01h35	#3
Richard Mueller [MVP] Messages: n/a Hébergeur:	Re: Force password Expiration to 5 days The only value you can assign to pwdLastSet is 0. I have never seen any way to assign any other value. If you are going to handle users in batches I see two options: 1. Deal with users one OU at a time. ADO can deal just with the users in one OU (specify the DN of the OU as the Base of the query). 2. Place the 500 users in a group. You can write a script to enumerate the members and deal with them. You can have one group for each block of users. For example to expire the password for all users in a group: ========== ' Bind to the group, using the Distinguished Name of the group. Set objGroup = GetObject("LDAP://cn=MyGroup,ou=West,dc=MyDomain,dc=com") ' Enumerate direct members of the group. For Each objUser In objGroup.Members ' Check if the password was changed in the last five days. If (DateDiff("d", objUser.PasswordLastChanged, Now()) > 5) Then ' Expire the password. objUser.pwdLastSet = 0 objUser.SetInfo End If Next ======== Something similar could be done to notify all members of the group several days before. I don't think there is any way to get the system to think the password will expire in 5 days and so automatically warn the user. Note that the PasswordLastChanged property method can only be used when you bind to the object. It is not an attribute so it cannot be retrieved by ADO. It is also read-only. However it is convenient because it converts the Integer8 value to a date/time. -- Richard Mueller Microsoft MVP Scripting and ADSI Hilltop Lab - http://www.rlmueller.net -- "Sonny" <Sonny@discussions.microsoft.com> wrote in message news:575C2834-9DBD-498C-86EF-6A12A6F6332B@microsoft.com... > We have around 5000 users in AD, and i wanted to work on the first batch > of > users first, maybe 500, how do we run the script against those 500 users? > Is > it possible to force users to change password(atleast 5 days) by tweaking > the > PwdlastSet using ADSI edit,and thereby they get the message that "They > have 5 > days to change the password" > "Richard Mueller [MVP]" wrote: > >> Sonny wrote: >> >> > We currently have password expiration policy set to 120 days. Due to >> > new >> > stringent password complexity requirements, i need to force users to >> > change >> > their passwords. When users login to AD, they should get a prompt that >> > says >> > you have 5 days to change your password before you password expires? >> >> Cannot be done, except maybe using third party tools. You can send a >> message >> to everyone stating that they will need to change their passwords in 5 >> days. >> Then when the day arrives you can run a script or program that either: >> >> 1. Expires everyones password, by setting pwdLastSet to 0. >> 2. Expires all passwords that have not been changed in the last 5 days. >> >> Option 2 seems preferable, assuming the password complexity requirement >> is >> already in place so the passwords changed in the last 5 days meet your >> requirements. >> >> You can use ADO in a VBScript program to retrieve the Distinguished Names >> of >> all users where the pwdLastSet attribute of the user corresponds to a >> date >> more than 5 days in the past. The pwdLastSet attribute is Integer8, a >> 64-bit >> number representing a date (in UTC) as the number of 100-nanosecond >> intervals since 12:00 AM 1/1/1601. I have a VBScript program that >> converts >> any date/time (in the time zone of the local computer) to the >> corresponding >> Integer8 value linked here: >> >> http://www.rlmueller.net/Programs/DateToInteger8.txt >> >> For example, in my time zone the date/time 11/16/2007 12:00 AM >> corresponds >> to: >> >> 128396664000000000 >> >> A filter to retrieve all users that have not change their password since >> that date would be: >> >> (&(objectCategory=person)(objectClass=user)(pwdLas tSet<=128396664000000000)) >> >> Tips on using ADO to retrieve information from AD in a VBScript program >> are >> here: >> >> http://www.rlmueller.net/ADOSearchTips.htm >> >> You would retrieve the value of the distinguishedName for all users that >> satisfy the filter, then bind to each user and set pwdLastSet to 0, which >> expires the password, and invoke the SetInfo method of the user object. >> The >> complete VBScript program (to be run 5 days from 11/16/2007, assuming you >> email all users today) could be: >> ================= >> Option Explicit >> >> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes >> >> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser >> >> >> >> ' Setup ADO objects. >> >> Set adoCommand = CreateObject("ADODB.Command") >> Set adoConnection = CreateObject("ADODB.Connection") >> adoConnection.Provider = "ADsDSOObject" >> adoConnection.Open "Active Directory Provider" >> adoCommand.ActiveConnection = adoConnection >> >> >> >> ' Search entire Active Directory domain. >> >> Set objRootDSE = GetObject("LDAP://RootDSE") >> >> strDNSDomain = objRootDSE.Get("defaultNamingContext") >> strBase = "<LDAP://" & strDNSDomain & ">" >> >> >> ' Filter on users that have not changed their password >> >> ' since 11/16/2007 12:00 AM. >> strFilter = "(&(objectCategory=person)(objectClass=user)" _ >> >> & "(pwdLastSet<=128396664000000000)" >> >> >> >> ' Comma delimited list of attribute values to retrieve. >> strAttributes = "distinguishedName" >> >> >> >> ' Construct the LDAP syntax query. >> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" >> adoCommand.CommandText = strQuery >> adoCommand.Properties("Page Size") = 100 >> adoCommand.Properties("Timeout") = 30 >> adoCommand.Properties("Cache Results") = False >> >> >> >> ' Run the query. >> Set adoRecordset = adoCommand.Execute >> >> >> ' Enumerate the resulting recordset. >> Do Until adoRecordset.EOF >> >> ' Retrieve values and display. >> strDN = adoRecordset.Fields("distinguishedName").Value >> >> ' Bind to the user object. >> >> Set objUser = GetObject("LDAP://" & strDN) >> >> ' Expire the password. >> >> objUser.pwdLastSet = 0 >> >> ' Save change. >> >> objUser.SetInfo >> >> ' Move to the next record in the recordset. >> adoRecordset.MoveNext >> Loop >> >> >> >> ' Clean up. >> >> adoRecordset.Close >> >> adoConnection.Close >> >> >> -- >> Richard Mueller >> Microsoft MVP Scripting and ADSI >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> >>

Outils de la discussion
Afficher une version imprimable Envoyer un lien vers cette page par email