uxphreak
asked on
Resetting all user accounts to change their password within the next 14 days
Hello,
I was wondering if there is a way to reset all user accounts in AD to require them to change their passwords within the next 14 days. Some of the users have been on the domain for over a year, while most have been in the domain for almost 90 days, and the remaining user have been added within the last 60 days. I know I can create a GPO and set the Password Policy, but I need a way to effectively handle the user accounts that have not changed their passwords since their accounts have been in the Domain.
Is there a way to assign/change the date the user's password was last changed? If so I could write a vbscript program that would reset those accounts that have not changed their password within the last 90 days and create the Password Policy, which would allow Windows to notify the user to change their password in the next 14 days when they log in.
Thanks.
I was wondering if there is a way to reset all user accounts in AD to require them to change their passwords within the next 14 days. Some of the users have been on the domain for over a year, while most have been in the domain for almost 90 days, and the remaining user have been added within the last 60 days. I know I can create a GPO and set the Password Policy, but I need a way to effectively handle the user accounts that have not changed their passwords since their accounts have been in the Domain.
Is there a way to assign/change the date the user's password was last changed? If so I could write a vbscript program that would reset those accounts that have not changed their password within the last 90 days and create the Password Policy, which would allow Windows to notify the user to change their password in the next 14 days when they log in.
Thanks.
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
Will it be fine if we can find the password last changed for all the users?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, everyone, for the response.
I had found the code MeCanHelp posted prior to posting my question, and after receiving LauraEHunterMVP's response I chose to modify that code to perform e-mail notification to users so that they are aware they will need to change their password.
Once I complete my tweaks I'll post the final code.
Thanks again.
I had found the code MeCanHelp posted prior to posting my question, and after receiving LauraEHunterMVP's response I chose to modify that code to perform e-mail notification to users so that they are aware they will need to change their password.
Once I complete my tweaks I'll post the final code.
Thanks again.
ASKER
Somewhat similar to the code MeCanHelp referenced, I've made some additions that identify users whose passwords will be expiring on a given date, send them an e-mail notification 14 days prior to that date (or whenever the script is run), set their account to require the user to change their password upon next logon on the date it is set to expire, and disable the account if the expiration date has been reached.
Your comments/additions are much appreciated, and also please be aware that my code may not be as efficient as possible due to my limited programming experience.
Thanks to everyone for their input.
Your comments/additions are much appreciated, and also please be aware that my code may not be as efficient as possible due to my limited programming experience.
Thanks to everyone for their input.
'==========================================================================
'
' NAME: PswdExpireEmail.vbs
'
' AUTHOR: David Varela, vbScript N00b
' DATE: 12/07/2007
' VERSION: 1.0
'
' COMMENT: Determine when a user's password was last changed, and if the password
' is 14 days from expiring send him/her an e-mail advising their password
' must be changed. The logic defines variables for the user's sAMAccountName,
' DistinguishedName, mail, and DisplayName values, and identifies the OU the
' user is contained in. If the user does not have an e-mail address, their
' supervisor, identified by the OU the user exists in, will be sent an e-mail
' regarding the user's password expiration status. If the user does not change
' their password before the day it is set to expire, their account will be set
' to change their password on the day it is set to expire. If the user does
' not change their password on or before the date it is set to expire, the
' account will be disabled.
'
'==========================================================================
On Error Resume Next
strComputer = "."
'''''''''''''''''''''''''''
Const ADS_SCOPE_SUBTREE = 2
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
'Create an Array of sAMAccountName's that you wish to exclude from being evaluated by this script
'''''''''''''''''''''''''''
Dim UserArray(1) 'Remember to change the value in parenthesis to equal the total Qty of items in the array
UserArray(0) = "GAK" 'Replace GAK with the sAMAccountName of the user to exclude. Increment the value in parenthesis for each
'item in the Array
'''''''''''''''''''''''''''
'ADO is used to access Active Directory. This should not be changed
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://rootDSE")
DomainString = objRootDSE.Get("dnsHostName")
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
'''''''''''''''''''''''''''
'The SELECT statement retrieves each user's DisplayName, Mail, DistinguishedName, and sAMAccountName values for all users in
'Active Directory
objCommand.CommandText = "SELECT DisplayName,mail,DistinguishedName,sAMAccountName FROM 'LDAP://dc=<DOMAIN>,dc=<COM>'" & _
" WHERE objectCategory='user'" 'Be sure to specify your Domain information in DC=<>,DC=<>
Set objRecordSet = objCommand.Execute
'The meat of the logic is defined in the following DO Loop.
'This loop will execute for each user in AD, except for those specified in UserArray
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strUser = objRecordSet.Fields("sAMAccountName").Value
strDN = objRecordSet.Fields("DistinguishedName").Value
strMail = objRecordSet.Fields("mail").Value
strFullName = objRecordSet.Fields("DisplayName").Value
arrPath = Split(strDN, ",")
intLength = Len(arrPath(1))
intNameLength = intLength - 3
strOU = Right(arrPath(1), intNameLength)
i = 1
'This is where the user will be checked against UserArray.
'If the user exists in the array, flag it for exclusion
For Each b In UserArray
If b = strUser Then
i = 0
End If
Next
'If the user is not in UserArray, perform the Password Expiration check
If i <> 0 Then
For Each objItem in strUser
Set objUserLDAP = GetObject ("LDAP://" & strDN & "")
intCurrentValue = objUserLDAP.Get("userAccountControl")
If intCurrentValue And ADS_UF_DONT_EXPIRE_PASSWD Then 'If the user's password is set to not expire
'then do not do anything further
WScript.Echo "The password for user " & strUser & " was set to not expire."
Else
dtmValue = objUserLDAP.PasswordLastChanged 'The latest date the user changed her/his password
strDays = DateDiff("d", Now, "12/21/2007") 'Specify which date you wish to evaluate against
str90Days = Int(Now + strDays - 90) 'Determines what date is 90 days from the date specified above
If DateValue(dtmValue) < str90Days And strDays > 0 Then 'If the user's password will expire on
'the date you specified AND today is
'before that date, send the user an
'e-mail.
If strMail <> "" Then
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "<IT e-mail Address>"
objEmail.To = "" & strMail & ""
objEmail.Subject = "Password about to expire."
objEmail.Textbody = "Your password will expire in " & strDays & " days. Please change your" & _
" password before December 21st to avoid being restricted from the Domain. If you have" & _
" any questions please contact the IT Department."
objEmail.Send
Else 'If the user does not have an e-mail address, send an e-mail to their supervisor
If strOU = "<OU Name1>" Then
strTo = "<Supervisor1 e-mail address>"
ElseIf strOU = "<OU Name2>" Then
strTo = "<Supervisor2 e-mail address>"
Else
strTo = "<IT e-mail address>"
End If
Set objEmail = CreateObject("CDO.Message")
objEmail.From = "<IT e-mail Address>"
objEmail.To = strTo
objEmail.Subject = "Password about to expire for " & strFullName & "."
objEmail.Textbody = "" & strFullName & "'s password will expire in " & strDays & " days." & _
" Please advise her/him that she/he must change her/his password before December 21st to" & _
" avoid being restricted from the Domain. If you have any questions please contact the" & _
" IT Department."
objEmail.Send
End If
ElseIf DateValue(dtmValue) < str90Days And strDays = 0 Then 'If the user's password will expire
'at the end of the day today, set their
'account to change the password on next logon.
objUserLDAP.Put "PwdLastSet", 0
objUserLDAP.SetInfo
WScript.Echo "User " & strUser & "'s account has been set to change password upon next logon."
ElseIf DateValue(dtmValue) < str90Days And strDay < 0 Then 'If the user's password was set to expire
'on the date specified and that date has passed,
'disable the user's account.
objUserLDAP.AccountExpirationDate = strYstrDay
objUserLDAP.SetInfo
WScript.Echo "User " & strUser & "'s account has been disabled due to expired password."
Else 'If this user's password has been changed recently, do not do anything
WScript.Echo "" & strFullName & "'s password was last changed on " & DateValue(dtmValue)
End If
End If
Next
End If
objRecordSet.MoveNext
Loop
Set objConnection = Nothing
Set objCommand = Nothing
Set objCommand.ActiveConnection = Nothing
Set objRootDSE = Nothing
Set objRecordSet = Nothing
Set objUserLDAP = Nothing
Set objEmail = Nothing
WScript.Quit
Apply.
Set account to expire in 14 days again.
You should get the disired result.