password never expires

N

nick

I have a 90 day password change policy which does not work
because every user account has the Password Never Expires
check box ticked. Is there a scrpit I can run for all the
user accounts in AD to uncheck this box?
 
M

Matjaz Ladava [MVP]

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection


strBase = "<LDAP://ou=startou,dc=domain,dc=local>"
strFilter =
";(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
strAttributes = ";sAMAccountName,ADsPath"
strLevel = ";subtree"
strQuery = objCommand.CommandText = strBase & strFilter & strAttributes &
strLevel

objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("sAMAccountName")
Set objUser = GetObject(objRS.Fields("ADsPath"))
intUAC = objUser.Get("userAccountControl")
objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD

objUSer.SetInfo

objRecordSet.MoveNext
Loop
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing

Beware, that you must specify rught starting OU, so that you dont change any
systemaccount.

--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
M

Max

"Matjaz Ladava [MVP]" said:
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection


strBase = "<LDAP://ou=startou,dc=domain,dc=local>"
strFilter =
";(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
strAttributes = ";sAMAccountName,ADsPath"
strLevel = ";subtree"
strQuery = objCommand.CommandText = strBase & strFilter & strAttributes &
strLevel

objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("sAMAccountName")
Set objUser = GetObject(objRS.Fields("ADsPath"))
intUAC = objUser.Get("userAccountControl")
objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD

objUSer.SetInfo

objRecordSet.MoveNext
Loop
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing

Beware, that you must specify rught starting OU, so that you dont change any
systemaccount.
Click to expand...

I keep getting the error:

Command text was not set for the command object.

Line 19, Char 1

Any ideas what the issue might be?

Thanks,
Max
 
M

Matjaz Ladava [MVP]

Here is the updated version.

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection


strBase = "<LDAP://ou=sales,dc=ladava,dc=com>"
strFilter =
";(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
strAttributes = ";sAMAccountName,ADsPath"
strLevel = ";subtree"
objCommand.CommandText = strBase & strFilter & strAttributes & strLevel

objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("sAMAccountName")
Set objUser = GetObject(objRecordSet.Fields("ADsPath"))
intUAC = objUser.Get("userAccountControl")
objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
objUSer.SetInfo
objRecordSet.MoveNext
Loop
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing


--

Regards

Matjaz Ladava, MCSA, MCSE, MCT, MVP
Microsoft MVP Windows Server - Active Directory
(e-mail address removed), (e-mail address removed)
 
G

Guest

Thanks Matjaz
The script is working fine!

In my requirement i need to uncheck both th
1) "user cannot change password
2) "Password never expires" checkboxes

How to include this modification in the same script or in seperate script.
 
C

Chriss3

Configures a user account so that it will not expire. This is done by
setting the expiration date to 1/1/1970.

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection


strBase = "<LDAP://ou=sales,dc=ladava,dc=com>"
strFilter =
";(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113
556.1.4.803:=65536))"
strAttributes = ";sAMAccountName,ADsPath"
strLevel = ";subtree"
objCommand.CommandText = strBase & strFilter & strAttributes & strLevel

objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("sAMAccountName")
Set objUser = GetObject(objRecordSet.Fields("ADsPath"))
intUAC = objUser.Get("userAccountControl")
objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
objUser.AccountExpirationDate = "01/01/1970"

objUSer.SetInfo
objRecordSet.MoveNext
Loop
objConnection.Close
Set objRootDSE = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
Set objRecordSet = Nothing

User cannot change password is more advanced i think you have to change the
NTSecurityDescriptor then, i leave that to Matjaz, Password never expires
should be fine.
 
G

Guest

Thanks Chriss3 for the script
Observation
The code is clearing th
* password never expires and it also make
User Object's Account - "Never Expires

The code is not working if the User Object is havin
* user must change password at next logo
* user cannot change passwor
selected

Is this the default Behaviour?

Expecting some code to clear "user cannot change password" checkbox
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Group policy and password never expires 2
Password policy vs. "password never expires" 2
Uncheck "password never expires" 4
AD User Attribute 2
AD pasword policy and laptop 3
Unchecking "Password Never Expires" for Administrator 1
Script to find accounts with the password never expires checked 6
how to remove "password never expires" attribute on all users 2

Top