Win 2000 and w2k3 domain controllers
Is there a way to remove the "password never expires" attribute on all my user accounts without having to do it manually for each user? (Command line? Script?)
Also, How can I expire everyone=3F=3F=3Fs (or a group of accounts) in order to employ a new strong password policy?
Thanks
To answer your first question:
1) From ADUC on Win2K3 you can select multiple users and clear this
checkbox.
2) From Win2K3:
dsmod user <Object DN> -pwdneverexpires no
and combine it with dsquery user to performs the action on a subset
selected by various criteria like this:
dsquery user "ou=MyOU,dc=sample,dc=com" |dsmod user <Object DN> -
pwdneverexpires no
3) Using a script. For a single user:
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
Set objUser = GetObject _
("LDAP://cn=User1,ou=test,dc=sample,dc=com")
intUAC = objUser.Get("userAccountControl")
If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
objUser.Put "userAccountControl", intUAC XOR _
ADS_UF_DONT_EXPIRE_PASSWD
objUser.SetInfo
WScript.Echo "Password never expires is now disabled"
Else
Wscript.echo "Already disabled"
End If
Check out TechNet Script Center for samples on how to execute this for
multiple users.
As for enforcing the new password policy, it's enough to select "User
must change password at next logon" for the user accounts. Again, you
can do this in one of the above ways.
HTH
--
Cheers,
Marin Marinov
MCT, MCSE 2003/2000/NT4.0,
MCSE:Security 2003/2000, MCP+I
-
This posting is provided "AS IS" with no warranties, and confers no
rights.