Re: Can't unset "user must change password" flag.

[Joe Richards [MVP]]

Yes, correctly setting the password will clear the user must change password on
next logon. That info is actually based on the pwdLastSet attribute so when you
correctly set a valid password, it has no choice but to be cleared. I would
recommend doublechecking your code as it may not be succeeding as expected.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

rhnewbie wrote:
> Our companies staff internet site authenticates against our Active Dir to
> validate our users. We've recently set up a ton of new users and given them
> all different default passwords. We want to force them to change passwords
> on their first login.
>
> I've written code that changes the password, but the "User must change
> password at next logon" flag never gets unchecked. When I try to
> programatically uncheck it, I get an access denied error. Doesn't changing
> one's password automatically reset that flag? If not, how can I change that
> flag.
>
>

[Richard Mueller [MVP]]

I set pwdLastSet to zero (0) when I set passwords. This forces "user must
change password on next logon". You can set pwdLastSet to -1, which turns
this off. These are the only values you can set.

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--
"Joe Richards [MVP]" <humore...@hotmail.com> wrote in message
news:eCnWgb7X...@TK2MSFTNGP15.phx.gbl...

[Joe Richards [MVP]]

Correct. His post is confusing though. At one point he says his goal is to force
a password change and then he says that it isn't clearing on password sets.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

[rhnewbie]

Hey guys,

Right now, I'm checking the value of userAccountControl and checking for a
value of 544. I'll look into checking the pwdLastSet attribute.

I am a bit confused by this though. When I use ADSI tool to view user
attributes, the pwdLastSet attribute for this particual user is some long
mishmash of numbers not 0 or -1.

One other thing. I wanted our AD Administrator to be able to open a users'
profile using the Active Directory User & Computers snap-in and set the 'User
must change password at next logon' flag. Then, when the user tries to log
into our members website, my code will catch that and force them to a special
page for changing the password.

When I set that flag (using the tool mentioned above) and then view the
pwdLastChanged flag in ADSI, it hasn't changed to 0. However, the value of
userAccountControl does seem to change. That's why I was checking that flag.

Any ideas on how I can achieve this?

[rhnewbie]

Sorry if I wind up posting a second time. My initial response still hasn't
shown up so I'm trying again.

I have a couple questions about using pwdLastSet. First, when I check the
"User must change password on next login" checkbox using the AD Users &
Computers snap-in, the value of pwdLastSet does not seem to change. (At
least not when I view that attribute using ADSI snap-in.)

Second, when I use ADSI snap-in to view that attribute, it has neither a 0
nor a -1 but some long number so I'm a little confused as to the post about 0
and -1 being the only valid values.

I was checking the userAccountControl property. It seems like this property
is actually updated when I check/uncheck the flag in the AD Users & Computers
interface. Is this not a reliable method of checking to see if user must
change password?

The pwdLastSet flag seems like its great for determining if a user initially
changes the password but doesn't help if the Administrator wants to force the
user to change it later on down the road. I probably don't fully understand
how or when that gets set.

[Richard Mueller [MVP]]

rhnewbie wrote:

>
> Right now, I'm checking the value of userAccountControl and checking for a
> value of 544. I'll look into checking the pwdLastSet attribute.

userAccountControl is a bit field that has a lot of information. Each bit of
the value means something. The value 544 (decimal) corresponds to 512 + 32,
where 512 means a "default user account" and 32 means "no password
required". The proper way to check userAccountControl is to use bit masks to
test the bit desired. If this same user is disabled, the value will be 546,
because 2 means disabled (512 + 32 + 2 = 546). userAccountControl cannot be
used to determine if the user must change their password the next time they
logon.

Some info here:
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/list/uslsvb17.mspx

>
> I am a bit confused by this though. When I use ADSI tool to view user
> attributes, the pwdLastSet attribute for this particual user is some long
> mishmash of numbers not 0 or -1.

pwdLastSet is a 64-bit number representing the date/time as the number of
100-nanosecond intervals since 12:00am, Jan. 1, 1601, so it's huge. Code is
required to convert this to a readable date. However, AD interprets the
special values 0 and -1. 0 can be interpreted as 1/1/1601. It can mean the
user has never set their password, or the user must reset their password the
next time they logon. -1 is a special value meaning the user is not required
to reset their password. The next time the user changes their password,
pwdLastSet is assigned the correct 64-bit value.

[Joe Richards [MVP]]

As Richard notes, useraccountcontrol is a bit flag attribute, it has multiple
values. Some of them are legacy and have had their functionality moved out of
that attribute for active directory such as lockout status, user must change
password on next logon, etc.

pwdLastSet is a 64 bit value, this is not handled well in vbscript. If the flag
is set, the value will be 0. When you set to -1, the OS actually sets it to the
current time stamp value.

Ex:

[Mon 05/23/2005 18:32:34.42]
C:\WINDOWS>adfind -b "CN=someuser,CN=Users,DC=joe,DC=com" pwdlastset

AdFind V01.26.00cpp Joe Richards (j...@joeware.net) February 2005

Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN=someuser,CN=Users,DC=joe,DC=com
>pwdLastSet: 127609597755355240

1 Objects returned

[Mon 05/23/2005 18:32:44.87]
C:\WINDOWS>adfind -b "CN=someuser,CN=Users,DC=joe,DC=com" pwdlastset -tdc

AdFind V01.26.00cpp Joe Richards (j...@joeware.net) February 2005

Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN=someuser,CN=Users,DC=joe,DC=com
>pwdLastSet: 05/19/2005-03:02:55

1 Objects returned

[Mon 05/23/2005 18:32:56.56]
C:\WINDOWS>admod -b "CN=someuser,CN=Users,DC=joe,DC=com" pwdlastset::0

AdMod V01.04.00cpp Joe Richards (j...@joeware.net) April 2005

DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: cn=someuser,cn=users,dc=joe,dc=com...

The command completed successfully

[Mon 05/23/2005 18:33:10.93]
C:\WINDOWS>adfind -b "CN=someuser,CN=Users,DC=joe,DC=com" pwdlastset

AdFind V01.26.00cpp Joe Richards (j...@joeware.net) February 2005

Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN=someuser,CN=Users,DC=joe,DC=com
>pwdLastSet: 0

1 Objects returned

[Mon 05/23/2005 18:33:14.94]
C:\WINDOWS>admod -b "CN=someuser,CN=Users,DC=joe,DC=com" pwdlastset::-1

AdMod V01.04.00cpp Joe Richards (j...@joeware.net) April 2005

DN Count: 1
Using server: 2k3dc01.joe.com
Modifying specified objects...
DN: cn=someuser,cn=users,dc=joe,dc=com...

The command completed successfully

[Mon 05/23/2005 18:33:23.15]
C:\WINDOWS>adfind -b "CN=someuser,CN=Users,DC=joe,DC=com" pwdlastset

AdFind V01.26.00cpp Joe Richards (j...@joeware.net) February 2005

Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN=someuser,CN=Users,DC=joe,DC=com
>pwdLastSet: 127613612030917216

1 Objects returned

[Mon 05/23/2005 18:33:25.01]
C:\WINDOWS>adfind -b "CN=someuser,CN=Users,DC=joe,DC=com" pwdlastset -tdc

AdFind V01.26.00cpp Joe Richards (j...@joeware.net) February 2005

Using server: 2k3dc01.joe.com
Directory: Windows Server 2003

dn:CN=someuser,CN=Users,DC=joe,DC=com
>pwdLastSet: 05/23/2005-18:33:23

1 Objects returned

[Mon 05/23/2005 18:33:27.69]
C:\WINDOWS>

[rhnewbie]

First off, thanks to Joe and Richard for all the help you guys have offered!
I really appreciate the time you guys have taken to answer my questions.

I'm trying to do what you said and check the pwdLastSet attribute but I'm
having trouble. This is what I'm doing in my code:

oUser = GetObject([LDAP://cn=Joe Smith,ou=Members,dc=domain,dc=net])
nTest1 = oUser.Get([userAccountControl])
nTest2 = oUser.Get([pwdLastSet])

(I code in Visual FoxPro so the syntax may be a little different than what
you're used to.)

Anyhow, the first Get works. I get the value 544 back into nTest1. But,
the second Get returns an object but I have no idea what kind of object or
what properties or methods it may have.

Any ideas?

[rhnewbie]

Hey guys,

Guess all I neede was time. I finally figured it out. Apparently, I have
to check a property called PasswordLastChanged. What was throwing me is that
if the value of pwdLastSet = 0 then trying to access PasswordLastChanged
(oUser.PasswordLastChanged) throws an error. (I finally found an example on
MS website.)

Anyhow, that seemed to work. Thanks again for all your input! You don't
know how much I appreciate your help!!

Rodd

[Richard Mueller [MVP]]

rhnewbie wrote:

> I'm trying to do what you said and check the pwdLastSet attribute but I'm
> having trouble. This is what I'm doing in my code:
>
> oUser = GetObject([LDAP://cn=Joe Smith,ou=Members,dc=domain,dc=net])
> nTest1 = oUser.Get([userAccountControl])
> nTest2 = oUser.Get([pwdLastSet])
>
> (I code in Visual FoxPro so the syntax may be a little different than what
> you're used to.)
>
> Anyhow, the first Get works. I get the value 544 back into nTest1. But,
> the second Get returns an object but I have no idea what kind of object or
> what properties or methods it may have.

Hi,

pwdLastSet is an Integer8 attribute, which is a 64-bit number that requires
special handling. See this link:

http://www.rlmueller.net/Integer8Attributes.htm

The page links a sample program to read and convert the pwdLastSet attribute
of a user to a date.