Uncheck Password Never Expires for All Users

Discussion in 'Active Directory' started by Ari, Oct 23, 2006.

  1. Ari

    Ari Guest


    All accounts in AD when created Password Never Expiers was selected and now
    i wana implement a password polciy, how can i remove the check from password
    never expiers on all user in AD at once?

    Thanks for any help
    Ari, Oct 23, 2006
    1. Advertisements

  2. Ari

    Ari Guest

    Thanks for the response
    do you know where i can find a script for that i dont know how to make the
    Ari, Oct 23, 2006
    1. Advertisements

  3. Jorge de Almeida Pinto [MVP - DS], Oct 23, 2006
  4. If you have Windows Server 2003, you may be able to select all users and
    modify this setting in bulk. Otherwise, here is a VBScript program that uses
    ADO to retrieve all user objects were the flag "Password never expires" is
    set, then toggles this flag off for each of these users, and saves the
    change. Since ADO cannot be used to modify AD objects, we retrieve the
    Distinguished Names of the user, so we can bind to the corresponding
    objects. A bit of the userAccountControl attribute is the flag for this
    setting. We Xor with the appropriate bit mask to toggle the setting off.
    Option Explicit

    Dim objRootDSE, strDNSDomain, objCommand, objConnection
    Dim strBase, strFilter, strAttributes, strQuery, objRecordSet
    Dim strDN, lngPwdLastSet, objDate
    Dim objUser, lngFlag


    ' Determine DNS domain name.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")

    ' Use ADO to search Active Directory.
    Set objCommand = CreateObject("ADODB.Command")
    Set objConnection = CreateObject("ADODB.Connection")
    objConnection.Provider = "ADsDSOObject"
    objConnection.Open "Active Directory Provider"
    objCommand.ActiveConnection = objConnection

    ' Search all of Active Directory.
    strBase = "<LDAP://" & strDNSDomain & ">"

    ' Filter on user objects that have password never expires flag set.
    strFilter = "(&(objectCategory=person)(objectClass=user)" _
    & "(userAccountControl:1.2.840.113556.1.4.803:=65536))"

    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName"

    ' Query Active Directory and return recordset.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    objCommand.CommandText = strQuery
    objCommand.Properties("Page Size") = 100
    objCommand.Properties("Timeout") = 30
    objCommand.Properties("Cache Results") = False
    Set objRecordSet = objCommand.Execute

    ' Enumerate the recordset.
    Do Until objRecordSet.EOF
    ' Retrieve the attribute value.
    strDN = objRecordSet.Fields("distinguishedName")
    ' Bind to the corresponding user object.
    Set objUser = GetObject("LDAP://" & strDN)
    ' Retrieve flags.
    lngFlag = objUser.userAccountControl
    ' Toggle the bit for password never expires to turn it off.
    lngFlag = lngFlag Xor ADS_UF_DONT_EXPIRE_PASSWD
    ' Save the new value.
    objUser.userAccountControl = lngFlag
    ' Save the change.

    ' Clean up.
    Set objRootDSE = Nothing
    Set objCommand = Nothing
    Set objConnection = Nothing
    Set objRecordSet = Nothing
    Richard Mueller, Oct 23, 2006
  5. Ari

    Jorge Silva Guest

    Select all users at once and chabge that option at Once.

    I hope that the information above helps you

    Good Luck
    Jorge Silva
    Systems Administrator
    Jorge Silva, Oct 23, 2006
  6. All one line

    adfind -b dc=domain,dc=com -bit -t 0 -f
    useraccountcontrol -adcsv | admod -sc uacclear:65536 -unsafe

    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition

    ---O'Reilly Active Directory Third Edition now available---

    Joe Richards [MVP], Oct 24, 2006
  7. Ari


    Aug 4, 2011
    Likes Received:
    Hi Richard,

    Thanks for the script that worked great.

    I read all of comments in which ever blog I logon to. It would be very helpful for me.

    But I need a little more help in the script.

    I will provide a list of users (samaccountnames with password never expires set) in a text file. The script must read the file and compare with the AD users. if matched, it must toggle the bit else bypass to next line in the file.

    I tried many takes but in vain

    Can you help on this?

    Any idea?

    Thanks & Regards
    mohanapraveent, Aug 4, 2011
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.