Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

removing the "password never expires" setting from LOCAL user (not Active Directory) accounts

407 views
Skip to first unread message

corn29@ no_spam excite.com

unread,
Mar 9, 2004, 3:55:37 PM3/9/04
to
Hello,

I want to ensure the password never expires setting is removed from
LOCAL (Windows 2000 member servers and workstations) accounts. I've
looked through past posts and I see posts that talk about querying and
setting this property, and removing it from domain accounts... again,
I want to remove this setting from LOCAL accounts (I need to use the
WinNT provider and not the LDAP provider)

If I'm talking about AD accounts, then I can simply check the value of
ADS_UF_DONT_EXPIRE_PASSWD (not equal to 0) and toggle the bit off with
Xor. Most of the examples out there deal with this type of a
solution... but I'm not using AD for this script.

So I wrote this little script to work with local user accounts. I
don't have access to ADS_UF_DONT_EXPIRE_PASSWD with the provider I'm
using so I did a simple debug statement to print what the userflag
value for each account is. Then I simply said,

If (the flags equals such and such value) then
go ahead and toggle the bit – skip the accounts if the bit is
already off, I don't want the Xor operator to mess with it!

End If

So here's my little ditty:

Dim userFlagsValue
strMyComputer = "."
intCounter = 0

Set objLocalComputer = GetObject("WinNT://" & strMyComputer)
' Get all the User accounts into an array
objLocalComputer.Filter = Array("User")

' Loop through every User in the array
For Each objLocalUser In objLocalComputer

' Get the flag value for the relational operator
' Debugging determined that a checkbox = true is 459265,
' while a same condition on a disabled account is 459267

userFlagsValue = objLocalUser.Get("UserFlags")

' Check to see if the bit for password never expire is set;
If userFlagsValue = 459265 Or userFlagsValue = 459267 Then
objLocalUser.Put "userFlags", objLocalUser.Get("UserFlags")
Xor &H10000
objLocalUser.SetInfo
intCounter = intCounter + 1
End If
Next

' Done
WScript.Echo intCounter & " Local Passwords Chnaged To Expire"


Obviously, my solution isn't very elegant (or at least I don't think
it is). Technet says this account property is not a simple true/false
setting, to get it's value one needs to use ADS_UF_DONT_EXPIRE_PASSWD.
But without having access to that, I'm believe I'm stuck with what I
have... Does anyone know a cleaner/better solution for
checking/setting/removing an account property for a local user
account?

Thanks,

--CW

Richard Mueller [MVP]

unread,
Mar 9, 2004, 4:19:51 PM3/9/04
to
Hi,

For this setting (password never expires), you can handle the userFlags
attribute exposed by the WinNT provider in exactly the same way as you would
handle the userAccountControl attribute exposed by the LDAP provider. The
bit mask is also the same. For example, for one user:

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Set objUser = GetObject("WinNT://MyComputer/TestUser,user")
lngFlags = objUser.Get("userFlags")
If (lngFlags And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
lngFlags = lngFlags Xor ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", lngFlags
objUser.SetInfo
End If

Note that you test a bit using the "And" operator (any non zero result means
the bit is set), you set a bit with the "Or" operator, and you toggle a bit
with the "Xor" operator. In this case, to un-set the bit, you must toggle
it, but only if it is already set. You can modify this to loop through all
local users.

From the TechNet Script Center, this example does the opposite of what you
want:

http://www.microsoft.com/technet/community/scriptcenter/user/scrug115.mspx

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

"corn29@ no_spam excite.com" <cor...@excite.com> wrote in message
news:216bf30e.04030...@posting.google.com...


> Hello,
>
> I want to ensure the password never expires setting is removed from
> LOCAL (Windows 2000 member servers and workstations) accounts. I've
> looked through past posts and I see posts that talk about querying and
> setting this property, and removing it from domain accounts... again,
> I want to remove this setting from LOCAL accounts (I need to use the
> WinNT provider and not the LDAP provider)
>
> If I'm talking about AD accounts, then I can simply check the value of
> ADS_UF_DONT_EXPIRE_PASSWD (not equal to 0) and toggle the bit off with
> Xor. Most of the examples out there deal with this type of a
> solution... but I'm not using AD for this script.
>
> So I wrote this little script to work with local user accounts. I
> don't have access to ADS_UF_DONT_EXPIRE_PASSWD with the provider I'm
> using so I did a simple debug statement to print what the userflag
> value for each account is. Then I simply said,
>
> If (the flags equals such and such value) then

> go ahead and toggle the bit - skip the accounts if the bit is

corn29@ no_spam excite.com

unread,
Mar 10, 2004, 9:17:40 AM3/10/04
to
Richard,

Thanks for the help... I was originally getting errors that said the
ADS object was not available. That's why I thought it was a provider
problem.

At any rate, here's what I have now:

strMyComputer = "."
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

Set objLocalComputer = GetObject("WinNT://" & strMyComputer)


objLocalComputer.Filter = Array("User")

For Each objLocalUser In objLocalComputer
lngFlags = objLocalUser.Get("userFlags")


If (lngFlags And ADS_UF_DONT_EXPIRE_PASSWD) <> 0 Then
lngFlags = lngFlags Xor ADS_UF_DONT_EXPIRE_PASSWD

objLocalUser.Put "userFlags", lngFlags
objLocalUser.SetInfo
End If
Next

This does indeed remove the "Password never expires" option but it
places a check in the "User must change password at next logon" box.
I don't want that either!!! Is there simply anyway to just turn off
the password never expires option if it is set???

Thanks,

--CW

"Richard Mueller [MVP]" <rlmuelle...@ameritech.NOSPAM.net> wrote in message news:<eA7V70hB...@TK2MSFTNGP09.phx.gbl>...

Richard Mueller [MVP]

unread,
Mar 10, 2004, 12:23:37 PM3/10/04
to
Hi,

The code shouldn't set "User must change password at next logon". Perhaps
this was set before and masked by the "Password never expires" setting, or
the user never set their password.

In any case, you remove the "User must change password at next logon"
setting for a local user by assigning zero to the PasswordExpired attribute
exposed by the WinNT provider:

objLocalUser.Put "PasswordExpired", 0
objLocalUser.SetInfo

To set this flag, you assign the value 1.

Note that with the LDAP provider, you assign the value 0 to the pwdLastSet
attribute to expire the password, and -1 to reset this flag so the user must
change the password at next logon. It can be confusing.

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--
"corn29@ no_spam excite.com" <cor...@excite.com> wrote in message

news:216bf30e.0403...@posting.google.com...

corn29@ no_spam excite.com

unread,
Mar 11, 2004, 12:41:54 PM3/11/04
to
"Richard Mueller [MVP]" <rlmuelle...@ameritech.NOSPAM.net> wrote in message news:<OrStuVsB...@TK2MSFTNGP10.phx.gbl>...

> Note that with the LDAP provider, you assign the value 0 to the pwdLastSet
> attribute to expire the password, and -1 to reset this flag so the user must
> change the password at next logon. It can be confusing.

It sure can be... so much for taking my script that runs on domain
controllers and simply changing the name of the provider. At any
rate, thanks for all your help!

--CW

0 new messages