Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Change password

1 view
Skip to first unread message

Rodrigo Sebben

unread,
Sep 2, 2003, 2:33:59 PM9/2/03
to
Hi all

I have a script that verify if a especified user in AD have the
attribute "must change password at next logon", but it wanted a script to
list all users in AD with this attribute.

Somebody know ?

thanks.


--
Rodrigo Sebben
seb...@service.com.br
Microsoft Certified Professional - W2k

Service IT Solutions - www.service.com.br
RS: +55 51 32123666


Richard Mueller [MVP]

unread,
Sep 3, 2003, 12:49:49 PM9/3/03
to
Rodrigo Sebben wrote:

> I have a script that verify if a especified user in AD have the
> attribute "must change password at next logon", but it wanted a script to
> list all users in AD with this attribute.

Hi,

ADO would be the best way to search AD. If a user has "User must change
password at next logon" set, then the pwdLastSet attribute is zero.
Fortunately, ADO can test for this without having to convert the 64-bit
number. However, users also have pwdLastSet equal to zero if "Password never
Expires" is set. Therefore, the search criteria would be all user objects
with pwdLastSet equal to zero and the ADS_UF_DONT_EXPIRE_PASSWD bit (which
is &H10000, or 65536) of the userAccountControl attribute not set. That
makes the ADO filter:

"(&(objectCategory=person)(objectClass=user)(pwdLastSet=0)" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=65536))

A VBScript program to output the Distinguished Names of all users with "User
must change password at next logon" set would be:

Option Explicit

Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strDN, lngPwdLastSet, objDate

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
strBase = "<LDAP://" & strDNSDomain & ">"

strFilter = "(&(objectCategory=person)(objectClass=user)(pwdLastSet=0)" _
& "(!userAccountControl:1.2.840.113556.1.4.803:=65536))"
strAttributes = "distinguishedName,userAccountControl"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName")
Wscript.Echo strDN
objRecordSet.MoveNext
Loop

' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing

--
Richard
Microsoft MVP Scripting and ADSI
HilltopLab web site - http://www.rlmueller.net
--

0 new messages