heymanr
asked on
Expire an Active Directory users' account password
Is it possible to expire an Active Directory users' account password rather than set the option "User must change password at next logon"? I'm doing some testing with OWA and need a genuine expired password and can figure out how to expire the password.
Any help would be appreceiated.
Thx
Any help would be appreceiated.
Thx
Mark is correct, this is done in the domain security policy. The default is 42 days. You can exempt certian user accounts from having the password expire by selecting the 'Password does not expire' option in the user account but other than this you cannot set different time periods for different users.
Note that unlike many GPO settinfs different OUs cannot have different password policies - this is a domain level setting.
Note that unlike many GPO settinfs different OUs cannot have different password policies - this is a domain level setting.
ASKER
Would it be possible through a script to reset the password?
ASKER
Moderator: Can this question be added to Programming > Languages > Visual Basic > VB Scripting ?
Thanks,
Thanks,
Its handled by the pwdLastSet attribute.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul05/hey0706.mspx
http://www.microsoft.com/technet/scriptcenter/resources/qanda/jul05/hey0706.mspx
Sorry, I've re-read your request and the link that I posted and realised that the posted link doesn't _quite_ meet the requirement. Expired passwords are detected when the pwdLastSet attribute is either 0 or when the attribute contains a date that is greater than the domain security policy allows.
Unfortunately, pwdlastset uses a special date format involving the number of nano seconds since Jan 1, 1601.
Therefore, to simulate a natural password expiry, you would change an account's pwdlastset to x days in the past. I've found a link [1] that describes the logic but it doesn't use VBscript. There are 86400000 nanoseconds in a day so you could use that to calculate a date in the past.
[1] http://www.irishdev.com/blogs/jbrennan/archive/2005/09/02/973.aspx
Unfortunately, pwdlastset uses a special date format involving the number of nano seconds since Jan 1, 1601.
Therefore, to simulate a natural password expiry, you would change an account's pwdlastset to x days in the past. I've found a link [1] that describes the logic but it doesn't use VBscript. There are 86400000 nanoseconds in a day so you could use that to calculate a date in the past.
[1] http://www.irishdev.com/blogs/jbrennan/archive/2005/09/02/973.aspx
You can use the following scriptlet to populate a selected user's pwdlastset attribute.
DaysAgo = "-45"
dtmAdjusted = DateAdd("d", DaysAgo, Now())
' Find number of seconds since 1/1/1601.
lngSeconds = DateDiff("s", #1/1/1601#, dtmAdjusted)
' Convert the number of seconds to a string
' and convert to 100-nanosecond intervals.
str64Bit = CStr(lngSeconds) & "0000000"
Wscript.Echo "Integer8 value: " & str64Bit
(Thanks to Richard Mueller http://www.rlmueller.net/Programs/DateToInteger8.txt)
DaysAgo = "-45"
dtmAdjusted = DateAdd("d", DaysAgo, Now())
' Find number of seconds since 1/1/1601.
lngSeconds = DateDiff("s", #1/1/1601#, dtmAdjusted)
' Convert the number of seconds to a string
' and convert to 100-nanosecond intervals.
str64Bit = CStr(lngSeconds) & "0000000"
Wscript.Echo "Integer8 value: " & str64Bit
(Thanks to Richard Mueller http://www.rlmueller.net/Programs/DateToInteger8.txt)
ASKER
ryan~ i'm kind of dump founded when it comes to script writing... how do I associate this script with a user?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mark