Uncheck Password Never Expires for All Users

Hi,

All accounts in AD when created Password Never Expiers was selected and now
i wana implement a password polciy, how can i remove the check from password
never expiers on all user in AD at once?

Thanks for any help

Thanks for the response
do you know where i can find a script for that i dont know how to make the
script..

"Jack Doyle" wrote:

> I'm not sure, but I imagine it could probably be done with ADSI
> scripting.
>
> Anyways, you probably already knew this, but that checkmark should be
> used as an exception to the rule, not the rule.
>
> If you truly, at the time, didn't want your passwords to expire, you
> should have used Group Policy to do that and the "password never
> expires" checkmark to allow exceptions... just tossing that out there,
> but like I said, you probably already knew that.
>
> Good luck.
>
> Jack Doyle, Systems Engineer
> ScriptLogic Corporation
> www.scriptlogic.com
>
>

have a look at ADModify from
http://www.gotdotnet.com/workspaces/...8-3e44523f32e2

or

ADMOD from http://www.joeware.net/downloads/files/AdMod.zip

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Ari" <> wrote in message
news:E89BEEE8-86A9-44AA-AD35-...
> Hi,
>
> All accounts in AD when created Password Never Expiers was selected and
> now
> i wana implement a password polciy, how can i remove the check from
> password
> never expiers on all user in AD at once?
>
> Thanks for any help

Ari wrote:

> Thanks for the response
> do you know where i can find a script for that i dont know how to make the
> script..

If you have Windows Server 2003, you may be able to select all users and
modify this setting in bulk. Otherwise, here is a VBScript program that uses
ADO to retrieve all user objects were the flag "Password never expires" is
set, then toggles this flag off for each of these users, and saves the
change. Since ADO cannot be used to modify AD objects, we retrieve the
Distinguished Names of the user, so we can bind to the corresponding
objects. A bit of the userAccountControl attribute is the flag for this
setting. We Xor with the appropriate bit mask to toggle the setting off.
===============
Option Explicit

Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strDN, lngPwdLastSet, objDate
Dim objUser, lngFlag

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

' Search all of Active Directory.
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user objects that have password never expires flag set.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=65536 ))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Query Active Directory and return recordset.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

' Enumerate the recordset.
Do Until objRecordSet.EOF
' Retrieve the attribute value.
strDN = objRecordSet.Fields("distinguishedName")
' Bind to the corresponding user object.
Set objUser = GetObject("LDAP://" & strDN)
' Retrieve flags.
lngFlag = objUser.userAccountControl
' Toggle the bit for password never expires to turn it off.
lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
' Save the new value.
objUser.userAccountControl = lngFlag
' Save the change.
objUser.SetInfo
objRecordSet.MoveNext
Loop

' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net

Hi
Select all users at once and chabge that option at Once.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
"Ari" <> wrote in message
news:E89BEEE8-86A9-44AA-AD35-...
> Hi,
>
> All accounts in AD when created Password Never Expiers was selected and
> now
> i wana implement a password polciy, how can i remove the check from
> password
> never expiers on all user in AD at once?
>
> Thanks for any help

All one line

adfind -b dc=domain,dc=com -bit -t 0 -f
"&(objectcategory=person)(useraccountcontrol:AND:= 65536)"
useraccountcontrol -adcsv | admod -sc uacclear:65536 -unsafe





--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Ari wrote:
> Hi,
>
> All accounts in AD when created Password Never Expiers was selected and now
> i wana implement a password polciy, how can i remove the check from password
> never expiers on all user in AD at once?
>
> Thanks for any help

Hi Richard,

Thanks for the script that worked great.

I read all of comments in which ever blog I logon to. It would be very helpful for me.

But I need a little more help in the script.

I will provide a list of users (samaccountnames with password never expires set) in a text file. The script must read the file and compare with the AD users. if matched, it must toggle the bit else bypass to next line in the file.

I tried many takes but in vain

Can you help on this?

Any idea?

Thanks & Regards
Praveen