Resetting "Password never expires" for all

G

Guest

Hello,

Reviewing my security policies and I'm looking to use domain wide password
expiration, with the exception of service accounts. Unfortunately when the
users were set up using a template, all of them have the checkbox "Password
never expires" checked". My understanding is this will override the policy,
so how can I uncheck this for all the users without having to touch every
account?
 
S

Steven L Umbach

If you have a Windows 2003 domain controller you can do multiple accounts at
one but since this is a Windows 2000 newsgroup I assume that is not the
case. If you have a Windows XP Pro domain computer that you could use as a
secure admin workstation you could install admikpak for Windows 2003 on it
which is a free download from Microsoft and use the AD command line tools to
do what you want with the dsquery and dsmod command line tools. Below is an
example of how you could do it by changing all the user accounts in a
particular OU as an example by piping the results of dsquery user to dsmod
..

http://www.microsoft.com/downloads/...15-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en
--- adminpak for W2003
http://www.microsoft.com/technet/pr...elp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
---- AD command line tools

F:\Documents and Settings\administrator.UMBACH1.000>dsquery user
OU=nyt,dc=mydomain,dc=com | dsmod user -pwdneverexpires no
dsmod succeeded:CN=john,OU=nyt,DC=mydomain,DC=com
dsmod succeeded:CN=ray,OU=nyt,DC=mydomain,DC=com
dsmod succeeded:CN=hal,OU=nyt,DC=mydomain,DC=com
dsmod succeeded:CN=fox,OU=nyt,DC=mydomain,DC=com
dsmod succeeded:CN=fred,OU=nyt,DC=mydomain,DC=com
 
G

Guest

Thanks Steven for the detailed response, I'm undecided if I'm brave enough to
do this yet, but appreciate the tip. I wish there was an easier way! Thanks
again..
 
S

Steven L Umbach

OK. Best practice would be to try it out on a few test users in a test OU
and as always you should have a current System State backup of at least one
domain controller so that you could do an authoritative restore of AD if
there was a problem. There is also a third party application called Hyena
that should be able to do what you want. --- Steve

http://www.systemtools.com/hyena/index.html -- Hyena from SomarSoft
 
B

Barry

MP said:
Hello,

Reviewing my security policies and I'm looking to use domain wide password
expiration, with the exception of service accounts. Unfortunately when the
users were set up using a template, all of them have the checkbox
"Password
never expires" checked". My understanding is this will override the
policy,
so how can I uncheck this for all the users without having to touch every
account?
Click to expand...


use ADModify.net, can be found at this memorable location:
http://www.gotdotnet.com/workspaces/workspace.aspx?id=f5cbbfa9-e46b-4a7a-8ed8-3e44523f32e2

v handy tool
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Implementing a Password Policy 5
Password Nerver Expires ACLs 1
Administrator Password Never Expires 3
Password Policy 1
password never expires grayed out 1
Windows 2003 Password Expiration 2
enabling "password never expires" for a group 1
Password never expires Vista Basic 4

Top