Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Force the new AD user to change password - pwdLastSet

792 views
Skip to first unread message

A. Farber

unread,
Jul 11, 2008, 8:01:52 AM7/11/08
to perl...@perl.org
Hello,

does anybody please know how set the checkbox
"User must change password at next logon" for
a new user in Active directory?

In VBScript it is done by: obj.Put "pwdLastSet", 0
but I can't find the Net::LDAP counterpart for that (and
I can't use Win32::OLE because my script runs on Linux)

After reading http://support.microsoft.com/kb/305144
I've tried setting 0x800000 bit in userAccountControl -
but it doesn't work (the user is created fine though):

use constant NORMAL_ACCOUNT => 0x200;
use constant PASSWORD_EXPIRED => 0x800000;

$result = $ldap->add($dn,
attr => [
objectClass => 'user',
#objectClass => [qw(top person organizationalPerson
user)],
sAMAccountName => $uid,
userPrincipalName => $uid . '@' . DOMAIN,
givenName => $first,
sn => $last,
displayName => $fullname,
description => $fullname,
mail => $mail,
l => $city,
physicalDeliveryOfficeName => $city,
company => $company,
]
);
$result->code && die 'Failed to add entry: ', $result->error;

$charmap = Unicode::Map8->new('latin1') or die $!;
$unipwd = $charmap->tou('"' . $password . '"')->byteswap()->utf16();

$result = $ldap->modify($dn, add => { unicodePwd => $unipwd } );
$result->code && die 'Failed to modify entry: ', $result->error;

$result = $ldap->modify($dn, replace => { userAccountControl =>
NORMAL_ACCOUNT | PASSWORD_EXPIRED } );
$result->code && die 'Failed to modify entry: ', $result->error;

Any hints please?
Alex

PS: I'm so happy I can work with Perl after I've finally
enabled LDAP/SSL in our domain controllers...

Don C. Miller

unread,
Jul 11, 2008, 11:33:01 AM7/11/08
to A. Farber, perl...@perl.org
Alex, does setting 'pwdLastSet' => 0 not work for you? You can't set
the value to anything else but you should be able to set it to zero
which will force the expiration.

$ldap->modify($dn, replace => { 'pwdLastSet' => 0 });

Don

Alexander Farber

unread,
Jul 11, 2008, 4:41:06 PM7/11/08
to perl...@perl.org
Hi Don,

On Fri, Jul 11, 2008 at 5:33 PM, Miller, Don C. <do...@uidaho.edu> wrote:
> Alex, does setting 'pwdLastSet' => 0 not work for you? You can't set
> the value to anything else but you should be able to set it to zero
> which will force the expiration.
>
> $ldap->modify($dn, replace => { 'pwdLastSet' => 0 });
>

thank you, it works. Below is my complete code for the archive.

I haven't found, how to mimic VBScript's AccountDisabled=FALSE
in Perl, but the user creation seems to work ok without it too.

Greetings from Germany
Alex

#!/usr/bin/perl -w

use strict;
use Net::LDAPS;
use Net::LDAP qw(LDAP_SUCCESS LDAP_ALREADY_EXISTS);
use Unicode::Map8;
use Unicode::String qw(utf16);

use constant ROOTDN => 'OU=ImportedExt,OU=User
Accounts,DC=internal,DC=XXX,DC=com';
use constant DOMAIN => 'internal.XXX.com';
use constant SERVER => ['ablwdc01.' . DOMAIN, 'ablwdc02.' . DOMAIN];
use constant ADMIN => 'XXXXXXX';
use constant ADMPW => 'XXXXXX';


use constant NORMAL_ACCOUNT => 0x200;

my ($ldap, $result, $charmap, $unipwd);
my ($uid, $first, $last, $mail, $city, $company, $password, $fullname, $dn)
= qw(perl_test perl test perl...@XXX.com Bochum XXX xxxxxxx123);

$ldap = Net::LDAPS->new(SERVER) or
die('Could not connect to LDAP server ' . SERVER);
$ldap->bind(ADMIN . '@' . DOMAIN, password => ADMPW) or
die('Could not bind to LDAP server ' . SERVER . ' as ' . ADMIN);

$fullname = "$first $last";
$dn = "cn=$uid," . ROOTDN;


$charmap = Unicode::Map8->new('latin1') or die $!;

$unipwd = $charmap->tou(qq{"$password"})->byteswap()->utf16();

$result = $ldap->add($dn,
attr => [
objectClass => 'user',

sAMAccountName => $uid,
userPrincipalName => $uid . '@' . DOMAIN,
givenName => $first,
sn => $last,
displayName => $fullname,
description => $fullname,
mail => $mail,
l => $city,
physicalDeliveryOfficeName => $city,
company => $company,

unicodePwd => $unipwd,
]
);
if (LDAP_SUCCESS != $result->code) {
warn "User $uid already exists!\n"
if (LDAP_ALREADY_EXISTS == $result->code);
die 'Failed to add user: ', $result->error;
}

$result = $ldap->modify($dn, replace => { pwdLastSet => 0 } );
$result->code && die 'Failed to modify user: ', $result->error;

$result = $ldap->modify($dn,
replace => { userAccountControl => NORMAL_ACCOUNT } );
$result->code && die 'Failed to enable user: ', $result->error;

$ldap->unbind;

Markus Moeller

unread,
Jul 12, 2008, 8:45:26 AM7/12/08
to perl...@perl.org
Alexander,

Account disabled means that the useraccountcontrol is increased by 2
(decimal) and account disabled = false means you add 0 to the
useraccountcontrol, See http://support.microsoft.com/kb/305144

Markus

"Alexander Farber" <alexande...@gmail.com> wrote in message
news:943abd910807111341we0...@mail.gmail.com...

0 new messages