Change Pswrd at Next Log on

[BluesHead]

Hi Folks,

I have a need to change all user accounts within a certain OU to "User must
change password at next logon"

I was hoping that some one of you may have a script that I could modify that
might perform this for me. I do know that wildcards for cn do not work with
DSMOD and that there may be a way to pipe in the cn from a DSQUERY.

Not overly familiar with either comand so would appreciate any help with
this.

Many thanks in advance.

BluesHead.

 

[Richard Mueller [MVP]]

Hi Folks,

I have a need to change all user accounts within a certain OU to "User
must change password at next logon"

I was hoping that some one of you may have a script that I could modify
that might perform this for me. I do know that wildcards for cn do not
work with DSMOD and that there may be a way to pipe in the cn from a
DSQUERY.

Not overly familiar with either comand so would appreciate any help with
this.

Many thanks in advance.

BluesHead.

You need to assign 0 to the pwdLastSet attribute for all users in the OU. A
VBScript example:
=====
Option Explicit
Dim objOU, objUser

' Bind to the OU object, using Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=West,dc=MyDomain,dc=com")

' Filter on user objects.
objOU.Filter = Array("user")

' Enumerate users.
For Each objUser In objOU
' Expire the password.
objUser.pwdLastSet = 0
' Save changes.
objUser.SetInfo
Next
======
You can also use Joe Richards' free command line utilities, adfind and
admod, for this. I think the syntax would be (watch line wrapping, this is
one line):

adfind -b "ou=West,dc=MyDomaind,dc=com" -f
"(&(objectCategory=person)(objectClass=user))" -dsq | admod "pwdLastSet::0"

Check the syntax on his web site and download the tools:

http://www.joeware.net/freetools/index.htm

Something similar might be possible with dsquery and dsmod. If so, you must
pipe the Distinguished Names (DN's) of all users in the OU from dsquery to
dsmod. The filter will be the same,
"(&(objectCategory=person)(objectClass=user))", the base will be the DN of
the OU. Again, the attribute is pwdLastSet and you want to assign 0 to
expire the password.

 

[Richard Mueller [MVP]]

You need to assign 0 to the pwdLastSet attribute for all users in the OU.
A VBScript example:
=====
Option Explicit
Dim objOU, objUser

' Bind to the OU object, using Distinguished Name of OU.
Set objOU = GetObject("LDAP://ou=West,dc=MyDomain,dc=com")

' Filter on user objects.
objOU.Filter = Array("user")

' Enumerate users.
For Each objUser In objOU
' Expire the password.
objUser.pwdLastSet = 0
' Save changes.
objUser.SetInfo
Next
======
You can also use Joe Richards' free command line utilities, adfind and
admod, for this. I think the syntax would be (watch line wrapping, this is
one line):

adfind -b "ou=West,dc=MyDomaind,dc=com" -f
"(&(objectCategory=person)(objectClass=user))" -dsq | admod
"pwdLastSet::0"

Check the syntax on his web site and download the tools:

http://www.joeware.net/freetools/index.htm

Something similar might be possible with dsquery and dsmod. If so, you
must pipe the Distinguished Names (DN's) of all users in the OU from
dsquery to dsmod. The filter will be the same,
"(&(objectCategory=person)(objectClass=user))", the base will be the DN of
the OU. Again, the attribute is pwdLastSet and you want to assign 0 to
expire the password.

I think the syntax for this task using dsquery / dsmod would be:

dsquery user "ou=West,dc=MyDomain,dc=com" | dsmod user -mustchpwd yes

 

[Paul Bergson [MVP-DS]]

I believe ADModify will provide the ability to do this for you. It is a
bulk modify graphical tool.

http://www.codeplex.com/admodify

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.