|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Force password Expiration to 5 days
We currently have password expiration policy set to 120 days. Due to new
stringent password complexity requirements, i need to force users to change their passwords. When users login to AD, they should get a prompt that says you have 5 days to change your password before you password expires? Sonny wrote:
> We currently have password expiration policy set to 120 days. Due to new Cannot be done, except maybe using third party tools. You can send a message > stringent password complexity requirements, i need to force users to > change > their passwords. When users login to AD, they should get a prompt that > says > you have 5 days to change your password before you password expires? to everyone stating that they will need to change their passwords in 5 days. Then when the day arrives you can run a script or program that either: 1. Expires everyones password, by setting pwdLastSet to 0. 2. Expires all passwords that have not been changed in the last 5 days. Option 2 seems preferable, assuming the password complexity requirement is already in place so the passwords changed in the last 5 days meet your requirements. You can use ADO in a VBScript program to retrieve the Distinguished Names of all users where the pwdLastSet attribute of the user corresponds to a date more than 5 days in the past. The pwdLastSet attribute is Integer8, a 64-bit number representing a date (in UTC) as the number of 100-nanosecond intervals since 12:00 AM 1/1/1601. I have a VBScript program that converts any date/time (in the time zone of the local computer) to the corresponding Integer8 value linked here: http://www.rlmueller.net/Programs/DateToInteger8.txt For example, in my time zone the date/time 11/16/2007 12:00 AM corresponds to: 128396664000000000 A filter to retrieve all users that have not change their password since that date would be: (&(objectCategory=person)(objectClass=user)(pwdLastSet<=128396664000000000)) Tips on using ADO to retrieve information from AD in a VBScript program are here: http://www.rlmueller.net/ADOSearchTips.htm You would retrieve the value of the distinguishedName for all users that satisfy the filter, then bind to each user and set pwdLastSet to 0, which expires the password, and invoke the SetInfo method of the user object. The complete VBScript program (to be run 5 days from 11/16/2007, assuming you email all users today) could be: ================= Option Explicit Dim adoCommand, adoConnection, strBase, strFilter, strAttributes Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser ' Setup ADO objects. Set adoCommand = CreateObject("ADODB.Command") Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject" adoConnection.Open "Active Directory Provider" adoCommand.ActiveConnection = adoConnection ' Search entire Active Directory domain. Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("defaultNamingContext") strBase = "<LDAP://" & strDNSDomain & ">" ' Filter on users that have not changed their password ' since 11/16/2007 12:00 AM. strFilter = "(&(objectCategory=person)(objectClass=user)" _ & "(pwdLastSet<=128396664000000000)" ' Comma delimited list of attribute values to retrieve. strAttributes = "distinguishedName" ' Construct the LDAP syntax query. strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" adoCommand.CommandText = strQuery adoCommand.Properties("Page Size") = 100 adoCommand.Properties("Timeout") = 30 adoCommand.Properties("Cache Results") = False ' Run the query. Set adoRecordset = adoCommand.Execute ' Enumerate the resulting recordset. Do Until adoRecordset.EOF ' Retrieve values and display. strDN = adoRecordset.Fields("distinguishedName").Value ' Bind to the user object. Set objUser = GetObject("LDAP://" & strDN) ' Expire the password. objUser.pwdLastSet = 0 ' Save change. objUser.SetInfo ' Move to the next record in the recordset. adoRecordset.MoveNext Loop ' Clean up. adoRecordset.Close adoConnection.Close We have around 5000 users in AD, and i wanted to work on the first batch of
users first, maybe 500, how do we run the script against those 500 users? Is it possible to force users to change password(atleast 5 days) by tweaking the PwdlastSet using ADSI edit,and thereby they get the message that "They have 5 days to change the password" Show quote "Richard Mueller [MVP]" wrote: > Sonny wrote: > > > We currently have password expiration policy set to 120 days. Due to new > > stringent password complexity requirements, i need to force users to > > change > > their passwords. When users login to AD, they should get a prompt that > > says > > you have 5 days to change your password before you password expires? > > Cannot be done, except maybe using third party tools. You can send a message > to everyone stating that they will need to change their passwords in 5 days. > Then when the day arrives you can run a script or program that either: > > 1. Expires everyones password, by setting pwdLastSet to 0. > 2. Expires all passwords that have not been changed in the last 5 days. > > Option 2 seems preferable, assuming the password complexity requirement is > already in place so the passwords changed in the last 5 days meet your > requirements. > > You can use ADO in a VBScript program to retrieve the Distinguished Names of > all users where the pwdLastSet attribute of the user corresponds to a date > more than 5 days in the past. The pwdLastSet attribute is Integer8, a 64-bit > number representing a date (in UTC) as the number of 100-nanosecond > intervals since 12:00 AM 1/1/1601. I have a VBScript program that converts > any date/time (in the time zone of the local computer) to the corresponding > Integer8 value linked here: > > http://www.rlmueller.net/Programs/DateToInteger8.txt > > For example, in my time zone the date/time 11/16/2007 12:00 AM corresponds > to: > > 128396664000000000 > > A filter to retrieve all users that have not change their password since > that date would be: > > (&(objectCategory=person)(objectClass=user)(pwdLastSet<=128396664000000000)) > > Tips on using ADO to retrieve information from AD in a VBScript program are > here: > > http://www.rlmueller.net/ADOSearchTips.htm > > You would retrieve the value of the distinguishedName for all users that > satisfy the filter, then bind to each user and set pwdLastSet to 0, which > expires the password, and invoke the SetInfo method of the user object. The > complete VBScript program (to be run 5 days from 11/16/2007, assuming you > email all users today) could be: > ================= > Option Explicit > > Dim adoCommand, adoConnection, strBase, strFilter, strAttributes > > Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser > > > > ' Setup ADO objects. > > Set adoCommand = CreateObject("ADODB.Command") > Set adoConnection = CreateObject("ADODB.Connection") > adoConnection.Provider = "ADsDSOObject" > adoConnection.Open "Active Directory Provider" > adoCommand.ActiveConnection = adoConnection > > > > ' Search entire Active Directory domain. > > Set objRootDSE = GetObject("LDAP://RootDSE") > > strDNSDomain = objRootDSE.Get("defaultNamingContext") > strBase = "<LDAP://" & strDNSDomain & ">" > > > ' Filter on users that have not changed their password > > ' since 11/16/2007 12:00 AM. > strFilter = "(&(objectCategory=person)(objectClass=user)" _ > > & "(pwdLastSet<=128396664000000000)" > > > > ' Comma delimited list of attribute values to retrieve. > strAttributes = "distinguishedName" > > > > ' Construct the LDAP syntax query. > strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" > adoCommand.CommandText = strQuery > adoCommand.Properties("Page Size") = 100 > adoCommand.Properties("Timeout") = 30 > adoCommand.Properties("Cache Results") = False > > > > ' Run the query. > Set adoRecordset = adoCommand.Execute > > > ' Enumerate the resulting recordset. > Do Until adoRecordset.EOF > > ' Retrieve values and display. > strDN = adoRecordset.Fields("distinguishedName").Value > > ' Bind to the user object. > > Set objUser = GetObject("LDAP://" & strDN) > > ' Expire the password. > > objUser.pwdLastSet = 0 > > ' Save change. > > objUser.SetInfo > > ' Move to the next record in the recordset. > adoRecordset.MoveNext > Loop > > > > ' Clean up. > > adoRecordset.Close > > adoConnection.Close > > > -- > Richard Mueller > Microsoft MVP Scripting and ADSI > Hilltop Lab - http://www.rlmueller.net > -- > > > The only value you can assign to pwdLastSet is 0. I have never seen any way
to assign any other value. If you are going to handle users in batches I see two options: 1. Deal with users one OU at a time. ADO can deal just with the users in one OU (specify the DN of the OU as the Base of the query). 2. Place the 500 users in a group. You can write a script to enumerate the members and deal with them. You can have one group for each block of users. For example to expire the password for all users in a group: ========== ' Bind to the group, using the Distinguished Name of the group. Set objGroup = GetObject("LDAP://cn=MyGroup,ou=West,dc=MyDomain,dc=com") ' Enumerate direct members of the group. For Each objUser In objGroup.Members ' Check if the password was changed in the last five days. If (DateDiff("d", objUser.PasswordLastChanged, Now()) > 5) Then ' Expire the password. objUser.pwdLastSet = 0 objUser.SetInfo End If Next ======== Something similar could be done to notify all members of the group several days before. I don't think there is any way to get the system to think the password will expire in 5 days and so automatically warn the user. Note that the PasswordLastChanged property method can only be used when you bind to the object. It is not an attribute so it cannot be retrieved by ADO. It is also read-only. However it is convenient because it converts the Integer8 value to a date/time. Show quote "Sonny" <So***@discussions.microsoft.com> wrote in message news:575C2834-9DBD-498C-86EF-6A12A6F6332B@microsoft.com... > We have around 5000 users in AD, and i wanted to work on the first batch > of > users first, maybe 500, how do we run the script against those 500 users? > Is > it possible to force users to change password(atleast 5 days) by tweaking > the > PwdlastSet using ADSI edit,and thereby they get the message that "They > have 5 > days to change the password" > "Richard Mueller [MVP]" wrote: > >> Sonny wrote: >> >> > We currently have password expiration policy set to 120 days. Due to >> > new >> > stringent password complexity requirements, i need to force users to >> > change >> > their passwords. When users login to AD, they should get a prompt that >> > says >> > you have 5 days to change your password before you password expires? >> >> Cannot be done, except maybe using third party tools. You can send a >> message >> to everyone stating that they will need to change their passwords in 5 >> days. >> Then when the day arrives you can run a script or program that either: >> >> 1. Expires everyones password, by setting pwdLastSet to 0. >> 2. Expires all passwords that have not been changed in the last 5 days. >> >> Option 2 seems preferable, assuming the password complexity requirement >> is >> already in place so the passwords changed in the last 5 days meet your >> requirements. >> >> You can use ADO in a VBScript program to retrieve the Distinguished Names >> of >> all users where the pwdLastSet attribute of the user corresponds to a >> date >> more than 5 days in the past. The pwdLastSet attribute is Integer8, a >> 64-bit >> number representing a date (in UTC) as the number of 100-nanosecond >> intervals since 12:00 AM 1/1/1601. I have a VBScript program that >> converts >> any date/time (in the time zone of the local computer) to the >> corresponding >> Integer8 value linked here: >> >> http://www.rlmueller.net/Programs/DateToInteger8.txt >> >> For example, in my time zone the date/time 11/16/2007 12:00 AM >> corresponds >> to: >> >> 128396664000000000 >> >> A filter to retrieve all users that have not change their password since >> that date would be: >> >> (&(objectCategory=person)(objectClass=user)(pwdLastSet<=128396664000000000)) >> >> Tips on using ADO to retrieve information from AD in a VBScript program >> are >> here: >> >> http://www.rlmueller.net/ADOSearchTips.htm >> >> You would retrieve the value of the distinguishedName for all users that >> satisfy the filter, then bind to each user and set pwdLastSet to 0, which >> expires the password, and invoke the SetInfo method of the user object. >> The >> complete VBScript program (to be run 5 days from 11/16/2007, assuming you >> email all users today) could be: >> ================= >> Option Explicit >> >> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes >> >> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser >> >> >> >> ' Setup ADO objects. >> >> Set adoCommand = CreateObject("ADODB.Command") >> Set adoConnection = CreateObject("ADODB.Connection") >> adoConnection.Provider = "ADsDSOObject" >> adoConnection.Open "Active Directory Provider" >> adoCommand.ActiveConnection = adoConnection >> >> >> >> ' Search entire Active Directory domain. >> >> Set objRootDSE = GetObject("LDAP://RootDSE") >> >> strDNSDomain = objRootDSE.Get("defaultNamingContext") >> strBase = "<LDAP://" & strDNSDomain & ">" >> >> >> ' Filter on users that have not changed their password >> >> ' since 11/16/2007 12:00 AM. >> strFilter = "(&(objectCategory=person)(objectClass=user)" _ >> >> & "(pwdLastSet<=128396664000000000)" >> >> >> >> ' Comma delimited list of attribute values to retrieve. >> strAttributes = "distinguishedName" >> >> >> >> ' Construct the LDAP syntax query. >> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" >> adoCommand.CommandText = strQuery >> adoCommand.Properties("Page Size") = 100 >> adoCommand.Properties("Timeout") = 30 >> adoCommand.Properties("Cache Results") = False >> >> >> >> ' Run the query. >> Set adoRecordset = adoCommand.Execute >> >> >> ' Enumerate the resulting recordset. >> Do Until adoRecordset.EOF >> >> ' Retrieve values and display. >> strDN = adoRecordset.Fields("distinguishedName").Value >> >> ' Bind to the user object. >> >> Set objUser = GetObject("LDAP://" & strDN) >> >> ' Expire the password. >> >> objUser.pwdLastSet = 0 >> >> ' Save change. >> >> objUser.SetInfo >> >> ' Move to the next record in the recordset. >> adoRecordset.MoveNext >> Loop >> >> >> >> ' Clean up. >> >> adoRecordset.Close >> >> adoConnection.Close >> >> >> -- >> Richard Mueller >> Microsoft MVP Scripting and ADSI >> Hilltop Lab - http://www.rlmueller.net >> -- >> >> >>  |
|||||||||||||||||||||||
Other interesting topics