Uncheck Password Never Expires for All Users

Discussion in 'Active Directory' started by Ari, Oct 23, 2006.

  1. Ari

    Ari Guest

    Hi,

    All accounts in AD when created Password Never Expiers was selected and now
    i wana implement a password polciy, how can i remove the check from password
    never expiers on all user in AD at once?

    Thanks for any help
     
    Ari, Oct 23, 2006
    #1
    1. Advertising

  2. Ari

    Ari Guest

    Thanks for the response
    do you know where i can find a script for that i dont know how to make the
    script..

    "Jack Doyle" wrote:

    > I'm not sure, but I imagine it could probably be done with ADSI
    > scripting.
    >
    > Anyways, you probably already knew this, but that checkmark should be
    > used as an exception to the rule, not the rule.
    >
    > If you truly, at the time, didn't want your passwords to expire, you
    > should have used Group Policy to do that and the "password never
    > expires" checkmark to allow exceptions... just tossing that out there,
    > but like I said, you probably already knew that.
    >
    > Good luck.
    >
    > Jack Doyle, Systems Engineer
    > ScriptLogic Corporation
    > www.scriptlogic.com
    >
    >
     
    Ari, Oct 23, 2006
    #2
    1. Advertising

  3. have a look at ADModify from
    http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2

    or

    ADMOD from http://www.joeware.net/downloads/files/AdMod.zip

    --

    Cheers,
    (HOPEFULLY THIS INFORMATION HELPS YOU!)

    # Jorge de Almeida Pinto # MVP Windows Server - Directory Services

    BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
    BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
    ------------------------------------------------------------------------------------------
    * This posting is provided "AS IS" with no warranties and confers no rights!
    * Always test before implementing!
    ------------------------------------------------------------------------------------------
    #################################################
    #################################################
    ------------------------------------------------------------------------------------------
    "Ari" <> wrote in message
    news:...
    > Hi,
    >
    > All accounts in AD when created Password Never Expiers was selected and
    > now
    > i wana implement a password polciy, how can i remove the check from
    > password
    > never expiers on all user in AD at once?
    >
    > Thanks for any help
     
    Jorge de Almeida Pinto [MVP - DS], Oct 23, 2006
    #3
  4. Ari wrote:

    > Thanks for the response
    > do you know where i can find a script for that i dont know how to make the
    > script..


    If you have Windows Server 2003, you may be able to select all users and
    modify this setting in bulk. Otherwise, here is a VBScript program that uses
    ADO to retrieve all user objects were the flag "Password never expires" is
    set, then toggles this flag off for each of these users, and saves the
    change. Since ADO cannot be used to modify AD objects, we retrieve the
    Distinguished Names of the user, so we can bind to the corresponding
    objects. A bit of the userAccountControl attribute is the flag for this
    setting. We Xor with the appropriate bit mask to toggle the setting off.
    ===============
    Option Explicit

    Dim objRootDSE, strDNSDomain, objCommand, objConnection
    Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
    Dim strDN, lngPwdLastSet, objDate
    Dim objUser, lngFlag

    Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

    ' Determine DNS domain name.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")

    ' Use ADO to search Active Directory.
    Set objCommand = CreateObject("ADODB.Command")
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    objCommand.ActiveConnection = objConnection

    ' Search all of Active Directory.
    strBase = "<LDAP://" & strDNSDomain & ">"

    ' Filter on user objects that have password never expires flag set.
    strFilter = "(&(objectCategory=person)(objectClass=user)" _
    & "(userAccountControl:1.2.840.113556.1.4.803:=65536))"

    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName"

    ' Query Active Directory and return recordset.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Cache Results") = False
    Set objRecordSet = objCommand.Execute

    ' Enumerate the recordset.
    Do Until objRecordSet.EOF
    ' Retrieve the attribute value.
    strDN = objRecordSet.Fields("distinguishedName")
    ' Bind to the corresponding user object.
    Set objUser = GetObject("LDAP://" & strDN)
    ' Retrieve flags.
    lngFlag = objUser.userAccountControl
    ' Toggle the bit for password never expires to turn it off.
    lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
    ' Save the new value.
    objUser.userAccountControl = lngFlag
    ' Save the change.
    objUser.SetInfo
    objRecordSet.MoveNext
    Loop

    ' Clean up.
    objConnection.Close
    Set objRootDSE = Nothing
    Set objCommand = Nothing
    Set objConnection = Nothing
    Set objRecordSet = Nothing

    --
    Richard
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
     
    Richard Mueller, Oct 23, 2006
    #4
  5. Ari

    Jorge Silva Guest

    Hi
    Select all users at once and chabge that option at Once.

    --
    I hope that the information above helps you

    Good Luck
    Jorge Silva
    MCSA
    Systems Administrator
    "Ari" <> wrote in message
    news:...
    > Hi,
    >
    > All accounts in AD when created Password Never Expiers was selected and
    > now
    > i wana implement a password polciy, how can i remove the check from
    > password
    > never expiers on all user in AD at once?
    >
    > Thanks for any help
     
    Jorge Silva, Oct 23, 2006
    #5
  6. All one line

    adfind -b dc=domain,dc=com -bit -t 0 -f
    "&(objectcategory=person)(useraccountcontrol:AND:=65536)"
    useraccountcontrol -adcsv | admod -sc uacclear:65536 -unsafe





    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm


    Ari wrote:
    > Hi,
    >
    > All accounts in AD when created Password Never Expiers was selected and now
    > i wana implement a password polciy, how can i remove the check from password
    > never expiers on all user in AD at once?
    >
    > Thanks for any help
     
    Joe Richards [MVP], Oct 24, 2006
    #6
  7. Ari

    mohanapraveent

    Joined:
    Aug 4, 2011
    Messages:
    1
    Hi Richard,

    Thanks for the script that worked great.

    I read all of comments in which ever blog I logon to. It would be very helpful for me.

    But I need a little more help in the script.

    I will provide a list of users (samaccountnames with password never expires set) in a text file. The script must read the file and compare with the AD users. if matched, it must toggle the bit else bypass to next line in the file.

    I tried many takes but in vain

    Can you help on this?

    Any idea?

    Thanks & Regards
    Praveen
     
    mohanapraveent, Aug 4, 2011
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dennis

    Password never expires Vista Basic

    Dennis, Sep 2, 2007, in forum: Windows Vista Administration
    Replies:
    4
    Views:
    314
    Ronnie Vernon MVP
    Sep 4, 2007
  2. Brady Snow
    Replies:
    1
    Views:
    672
    Matt Wagner [MSFT]
    Dec 6, 2004
  3. Marsha
    Replies:
    15
    Views:
    1,197
    Phillip Renouf
    Jan 11, 2005
  4. Tim Page

    List all users with 'Password Never Expires'

    Tim Page, Mar 18, 2008, in forum: Active Directory
    Replies:
    3
    Views:
    2,459
    Richard Mueller [MVP]
    Sep 3, 2009
  5. £Jim
    Replies:
    3
    Views:
    253
    Abhishek
    Feb 12, 2009
Loading...

Share This Page