Password complexity..domain policy

[darren]

lets say I have enable password complexity, via a domain gp.. I have
read that this policy will only apply to new users, is this correct and if
so when would this policy apply to existing users??

Thanks
Darren

 

[Matjaz Ladava [MVP]]

When their change password schedule occur. But you can write a script which
would expire passwords of existing users and thus force them to change
password.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)

 

[Hank Arnold]

Could you point us to a script that could do this? I will be in a situation
soon where I need to do that....

 

[Matjaz Ladava [MVP]]

The script that does that forces user to change password on next login is
something like

Set objUser = GetObject ("LDAP://CN=user,OU=yourou,DC=domain,DC=com")
objUser.Put "pwdLastSet", 0
objUser.SetInfo

now you just need to wrap this with a LDAP query, so that the final result
is someting like this

Set objDSE = GetObject("LDAP://rootDSE")

strBase= "<LDAP://OU=yourstartOU," & objDSE.Get("defaultNamingContext") &
">;"
strFilter = "(&(objectClass=user)(objectCategory=person));"
strAttrs = "ADsPath;"
strScope="Subtree"

Set objConn = CreateObject("ADODB.Connection")
objConn.Open "Provider=ADsDSOObject"
Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
While not objRS.EOF
' Attach to the user object
Set objUser = GetObject(objRS.Fields("ADsPath"))
objUser.Put "pwdLastSet", 0
objUSer.SetInfo
Wscript.Echo "Done"
objRS.MoveNExt
Wend

Schedule this script as a task to run after few days (under account that has
permission to modify user objects) and notify users prior.
Hope this helps. You could also use ADModify (search google.com) to do this.

--
Regards

Matjaz Ladava
MVP Windows Server - Directory Services
(e-mail address removed), (e-mail address removed)