How to exprie ALL acct. passwords?

L

Lamar Thomas

We are running Windows 2003 Servers as our domain controllers and about 5000
users. What we want to do is expire EVERYONE'S network acct. and make them
change their passwords at the end of this week (Friday). Any ideas on an
easy way to do this?


Thanks in advance,


Clayton
 
T

Tomasz Onyszko [MVP]

Lamar said:
We are running Windows 2003 Servers as our domain controllers and about 5000
users. What we want to do is expire EVERYONE'S network acct. and make them
change their passwords at the end of this week (Friday). Any ideas on an
easy way to do this?
Click to expand...

You want to expire all passwords - not expire account? So just force
users to change the password? - It's easy with ADSI script, for each
account You should modify pwdLastSet and set it to 0:

http://www.rallenhome.com/books/adcookbook/src/06.21-must_change_passwd.vbs.txt

This will force users to change password at next logon.
 
B

barry

Lamar said:
We are running Windows 2003 Servers as our domain controllers and about 5000
users. What we want to do is expire EVERYONE'S network acct. and make them
change their passwords at the end of this week (Friday). Any ideas on an
easy way to do this?


Thanks in advance,


Clayton
Click to expand...

Think You can possibly do this with ADModify. Though I'm at home at the
mo, and can't remember oif the top of my head.

That just incase you can't be arsed to script. Though if you can't, I
suggest learning. It's the way forward :)
 
U

Ulf B. Simon-Weidner [MVP]

Lamar Thomas said:
We are running Windows 2003 Servers as our domain controllers and about
5000
users. What we want to do is expire EVERYONE'S network acct. and make
them
change their passwords at the end of this week (Friday). Any ideas on an
easy way to do this?
Click to expand...

Hello Lamar,

That's also pretty easy via the command line, the command should look
like

Dsquery user domainroot | dsmod user -mustchpwd yes

Please test that first, I can't test that right now - minor
modifications might be necessary. Also note that you might not want all
user accounts (like the administrator, serviceaccounts) so should
modify the scope of your search as necessary (e.g. to a MyCorpUsers-OU)
instead of using the domainroot.

--
Gruesse - Sincerely,

Ulf B. Simon-Weidner

MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
WebSite: http://www.windowsserverfaq.org
 
J

Joe Richards [MVP]

adfind -b dc=domain,dc=com -f samaccounttype=805306368 |admod pwdlastset::0

That will expire every userid's password that you have permission to expire.

If you want to focus on a specific OU, specify that in the base DN specified by -b

You can get adfind and admod from www.joeware.net

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to add local admin acct. across a network? 6
How can remote (VPN) WinXP users change their domain passwords? 8
user permissions to add computer acct to domain 2
Force password expiry? 1
How to cluster DHCP 33
How to give someone permission to add PC to Domain? 3
acct lockouts after changing passwords 1
Aging passwords 3

Top