Set "Password never expires" on users in a specific OU?
Henrik
I'm looking for a script that will check the "Password never expires" and
uncheck the "User must change password at next logon" on all users in
specific OU:s, it will run once a week. I have only found scripts that does
this for all users in a domain.
The environment is a 2003 Active Directory.
Anyone that has a good example?
Thanks,
Henrik
heintz...@gmail.com
Dim strDomainDN,strOU,strDomTokens,objUser,objgroup
strDomainDN = "abcd.local" 'Your AD Domain goes here
strOU = "OU NAME" 'The OU Name goes here
' Put the domain name into an ldap string.
strDomTokens = Split(strDomainDN, ".", -1, 1)
strDomainDN = Join(strDomTokens, ",dc=")
strDomainDN = "dc=" & strDomainDN
Set objgroup = GetObject("LDAP://ou=" + strOU + "," + strDomainDN)
objgroup.Filter = Array("User")
For Each objItem in objgroup
sDisplayname = objItem.givenName & " " & objItem.sn
'wscript.echo sDisplayname 'Uncomment start of line if you to see
text
Set objUser = getObject("LDAP://CN=" + sDisplayname + ",OU=" + strOU
+ "," + strDomainDN)
objUser.Put "userAccountControl", "512"
objUser.Put "pwdLastSet", 0 'Disable if you want the users to change
password at first login
Set objUser = nothing
Next
Set objgroup = Nothing
Larry
www.windowsadminscripts.com
Richard Mueller [MVP]
You should instead set or toggle the one bit of this integer for the setting
you want, so you don't mess up the other settings. Also, to remove the
setting "User must change password at next logon" you should assign -1 to
the attribute pwdLastSet. Assigning 0 (zero) expires the password so the
user must change it the next time they logon on.
If you several OU's you can place their Distinguished Names in an array.
Perhaps:
============
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
' Place Distinguished Names of OU's in an array.
arrOUs = Array("ou=Sales,ou=West,dc=MyDomain,dc=com", _
"ou=Engr,ou=West,dc=MyDomain,dc=com", _
"ou=Acctg,ou=West,dc=MyDomain,dc=com", _
"ou=East,dc=MyDomain,dc=com")
' Enumerate the OU's in the array.
For Each strOU In arrOUs
' Bind to the OU.
Set objOU = GetObject("LDAP://" & strOU)
' Filter on user objects.
objOU.Filter = Array("user")
' Enumerate all users in the OU.
For Each objUser In objOU
' Assume no changes made to user, unless noted below.
blnChanged =False
' Retrieve userAccountControl value.
lngFlag = objUser.userAccountControl
' Check if ADS_UF_DONT_EXPIRE_PASSWD set.
' When you And a bit mask with userAccountControl, any non-zero
' result means the bit is set. A zero result means the bit is not
set.
If (lngFlag And ADS_UF_DONT_EXPIRE_PASSWD = 0) Then
' Set the ADS_UF_DONT_EXPIRE_PASSWD bit.
lngFlag = lngFlag Or ADS_UF_DONT_EXPIRE_PASSWD
objUser.userAccountControl = lngFlag
' Flag that a change was made to this user.
blnChanged = True
End If
' Check if user must change password at next logon.
Set objPwdLastSet = objUser.pwdLastSet
If (objPwdLastSet.HighPart = 0) And (objPwdLastSet.LowPart = 0) Then
' Change so user does not need to change password at next logon.
objUser.pwdLastSet = -1
' Flag that a change was made to this user.
blnChanged = True
End If
' If a change made to this user, save changes.
If (blnChanged = True) Then
objUser.SetInfo
End If
Next
Next
============
I bothered to check if the settings needed to be changed and only changed
them if needed.
--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--
<heintz...@gmail.com> wrote in message
news:4b317727-3141-4742...@u10g2000prn.googlegroups.com...
Henrik
I'll try the script and get back to you with the result.
Regards,
Henrik