Change password at next logon without resetting password or using

Discussion in 'Active Directory' started by Brian Edwards, Jan 9, 2008.

  1. Greetings!

    We had to dismiss two admin-level IT employees suddenly. They knew many end
    user passwords at the company. Changing all of the admin passwords is no
    problem, it's the end user passwords we're concerned about. Here is what we
    want to accomplish:

    - We want to force all users to change their passwords at the very next logon

    We do already employ a GPO that governs Password Policy, and it works great.
    Every 60 days users must change their passwords and the minimum age of a
    password is 5 days. Password History remembers 3 passwords, so it's
    difficult for them to use the same password over and over.

    Now, however, we need everyone to change their passwords relatively
    immediately. We've been instructed *NOT* to make this public knowledge by
    sending a general email asking everyone to change their passwords, which
    would be the easiest method. So, two questions come to mind:

    1. If, in Active Directory, we use the "Reset Password" function, can we
    leave the password fields blank but select the "User must change password at
    next logon" and have the users' current passwords still work at the next
    logon but have them still get prompted to immediately change their passwords?

    2. Is there a way to force password changes *at next logon* using a
    temporary GPO, and if so, how do we determine when all of the passwords have
    been changed? There may be some employees who do not login for a week or
    more, due to vacations and such.

    I've done a little research but haven't found these answers yet, and I'm
    pressed for time. I appreciate your assistance.

    Brian Edwards, Jan 9, 2008
    1. Advertisements

  2. You want to assign the value 0 (zero) to the pwdLastSet attribute of all
    user objects. This expires the password so the user must change it the next
    time they logon (if their passwords expire). You can use a script or a
    command line utility, like csvde, to do this.
    Richard Mueller [MVP], Jan 9, 2008
    1. Advertisements

  3. Awesome! That is what I will do then. Thank you sir!
    Brian Edwards, Jan 9, 2008
  4. A VBScript program to expire the password for all users in an OU:
    ' Bind to OU, using Distinguished Name of the OU.
    Set objOU = GetObject("LDAP://ou=Sales,ou=West,dc=MyDomain,dc=com")

    ' Filter on user objects.
    objOU.Filter = Array("user")

    ' Enumerate all users in OU.
    For Each objUser In objOU
    ' Expire the password.
    objUser.pwdLastSet = 0
    A VBScript program using ADO to retrieve the Distinguished Names of all
    users, then bind to each user object and expire the password, would be:
    Option Explicit

    Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

    Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser

    ' Setup ADO objects.

    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    adoCommand.ActiveConnection = adoConnection

    ' Search entire Active Directory domain.

    Set objRootDSE = GetObject("LDAP://RootDSE")

    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"

    ' Filter on user objects.
    strFilter = "(&(objectCategory=person)(objectClass=user))"

    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName"

    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False

    ' Run the query.
    Set adoRecordset = adoCommand.Execute

    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF

    ' Retrieve Distinguished Name.
    strDN = adoRecordset.Fields("distinguishedName").Value

    ' Bind to the user object.

    Set objUser = GetObject("LDAP://" & strDN)

    ' Expire the password.

    objUser.pwdLastSet = 0

    ' Save changes.


    ' Move to the next record in the recordset.

    ' Clean up.


    Richard Mueller [MVP], Jan 9, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.