Windows Vista Tips

Windows Vista Tips > Newsgroups > Windows Server > Active Directory > Uncheck Password Never Expires for All Users

Reply
Thread Tools Display Modes

Uncheck Password Never Expires for All Users

 
 
Ari
Guest
Posts: n/a

 
      10-23-2006
Hi,

All accounts in AD when created Password Never Expiers was selected and now
i wana implement a password polciy, how can i remove the check from password
never expiers on all user in AD at once?

Thanks for any help
 
Reply With Quote
 
 
 
 
Ari
Guest
Posts: n/a

 
      10-23-2006
Thanks for the response
do you know where i can find a script for that i dont know how to make the
script..

"Jack Doyle" wrote:

> I'm not sure, but I imagine it could probably be done with ADSI
> scripting.
>
> Anyways, you probably already knew this, but that checkmark should be
> used as an exception to the rule, not the rule.
>
> If you truly, at the time, didn't want your passwords to expire, you
> should have used Group Policy to do that and the "password never
> expires" checkmark to allow exceptions... just tossing that out there,
> but like I said, you probably already knew that.
>
> Good luck.
>
> Jack Doyle, Systems Engineer
> ScriptLogic Corporation
> www.scriptlogic.com
>
>

 
Reply With Quote
 
 
 
 
Jorge de Almeida Pinto [MVP - DS]
Guest
Posts: n/a

 
      10-23-2006
have a look at ADModify from
http://www.gotdotnet.com/workspaces/...8-3e44523f32e2

or

ADMOD from http://www.joeware.net/downloads/files/AdMod.zip

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Ari" <> wrote in message
news:E89BEEE8-86A9-44AA-AD35-...
> Hi,
>
> All accounts in AD when created Password Never Expiers was selected and
> now
> i wana implement a password polciy, how can i remove the check from
> password
> never expiers on all user in AD at once?
>
> Thanks for any help



 
Reply With Quote
 
Richard Mueller
Guest
Posts: n/a

 
      10-23-2006
Ari wrote:

> Thanks for the response
> do you know where i can find a script for that i dont know how to make the
> script..


If you have Windows Server 2003, you may be able to select all users and
modify this setting in bulk. Otherwise, here is a VBScript program that uses
ADO to retrieve all user objects were the flag "Password never expires" is
set, then toggles this flag off for each of these users, and saves the
change. Since ADO cannot be used to modify AD objects, we retrieve the
Distinguished Names of the user, so we can bind to the corresponding
objects. A bit of the userAccountControl attribute is the flag for this
setting. We Xor with the appropriate bit mask to toggle the setting off.
===============
Option Explicit

Dim objRootDSE, strDNSDomain, objCommand, objConnection
Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
Dim strDN, lngPwdLastSet, objDate
Dim objUser, lngFlag

Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000

' Determine DNS domain name.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")

' Use ADO to search Active Directory.
Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection

' Search all of Active Directory.
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user objects that have password never expires flag set.
strFilter = "(&(objectCategory=person)(objectClass=user)" _
& "(userAccountControl:1.2.840.113556.1.4.803:=65536 ))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Query Active Directory and return recordset.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

' Enumerate the recordset.
Do Until objRecordSet.EOF
' Retrieve the attribute value.
strDN = objRecordSet.Fields("distinguishedName")
' Bind to the corresponding user object.
Set objUser = GetObject("LDAP://" & strDN)
' Retrieve flags.
lngFlag = objUser.userAccountControl
' Toggle the bit for password never expires to turn it off.
lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
' Save the new value.
objUser.userAccountControl = lngFlag
' Save the change.
objUser.SetInfo
objRecordSet.MoveNext
Loop

' Clean up.
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net


 
Reply With Quote
 
Jorge Silva
Guest
Posts: n/a

 
      10-23-2006
Hi
Select all users at once and chabge that option at Once.

--
I hope that the information above helps you

Good Luck
Jorge Silva
MCSA
Systems Administrator
"Ari" <> wrote in message
news:E89BEEE8-86A9-44AA-AD35-...
> Hi,
>
> All accounts in AD when created Password Never Expiers was selected and
> now
> i wana implement a password polciy, how can i remove the check from
> password
> never expiers on all user in AD at once?
>
> Thanks for any help



 
Reply With Quote
 
Joe Richards [MVP]
Guest
Posts: n/a

 
      10-24-2006
All one line

adfind -b dc=domain,dc=com -bit -t 0 -f
"&(objectcategory=person)(useraccountcontrol:AND:= 65536)"
useraccountcontrol -adcsv | admod -sc uacclear:65536 -unsafe





--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Ari wrote:
> Hi,
>
> All accounts in AD when created Password Never Expiers was selected and now
> i wana implement a password polciy, how can i remove the check from password
> never expiers on all user in AD at once?
>
> Thanks for any help

 
Reply With Quote
 
Junior Member
Join Date: Aug 2011
Posts: 1

 
      08-04-2011
Hi Richard,

Thanks for the script that worked great.

I read all of comments in which ever blog I logon to. It would be very helpful for me.

But I need a little more help in the script.

I will provide a list of users (samaccountnames with password never expires set) in a text file. The script must read the file and compare with the AD users. if matched, it must toggle the bit else bypass to next line in the file.

I tried many takes but in vain

Can you help on this?

Any idea?

Thanks & Regards
Praveen
 
Reply With Quote
 
 
 
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
List all users with 'Password Never Expires' Tim Page Active Directory 3 09-03-2009 01:26 AM
Can't remove 'password never expires' from some users £Jim Active Directory 3 02-12-2009 11:16 AM
Password never expires Vista Basic Dennis Windows Vista Administration 4 09-04-2007 01:00 AM
Password never expires-can't force user to change password Marsha Active Directory 15 01-11-2005 04:07 PM
Change "Password Never Expires" In AD for all users Brady Snow Windows Server 1 12-06-2004 08:42 PM