Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Resetting all user accounts to change their password within the next 14 days

Posted on 2007-12-05
8
Medium Priority
?
713 Views
Last Modified: 2008-05-31
Hello,

I was wondering if there is a way to reset all user accounts in AD to require them to change their passwords within the next 14 days.  Some of the users have been on the domain for over a year, while most have been in the domain for almost 90 days, and the remaining user have been added within the last 60 days.  I know I can create a GPO and set the Password Policy, but I need a way to effectively handle the user accounts that have not changed their passwords since their accounts have been in the Domain.

Is there a way to assign/change the date the user's password was last changed?  If so I could write a vbscript program that would reset those accounts that have not changed their password within the last 90 days and create the Password Policy, which would allow Windows to notify the user to change their password in the next 14 days when they log in.

Thanks.
0
Comment
Question by:uxphreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 6

Expert Comment

by:dnudelman
ID: 20412909
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
0
 
LVL 6

Expert Comment

by:dnudelman
ID: 20412910
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
0
 
LVL 6

Expert Comment

by:dnudelman
ID: 20412911
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 12

Expert Comment

by:chandru_sol
ID: 20412913
Will it be fine if we can find the password last changed for all the users?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 1050 total points
ID: 20412969
dnudelman's instructions are incorrect - setting an expiration date on a user's account will prevent the user from logging in entirely; it expires the entire account, not the password.

Unfortunately, the date/time that a password was last set cannot be modified by an administrator; this field is controlled internally by Active Directory.  The closest you can come to the behaviour you are describing is to flag the "user must change password on next logon" feature on the user account, but this will not achieve the "within 14 days" requirement.

Best way to achieve this, IMO, will be to set the "user must change..." flag in stages so that your help desk is not flooded with calls: if you have 1000 users, set this flag on 50 users at a time until finished, for example.
0
 
LVL 4

Assisted Solution

by:MeCanHelp
MeCanHelp earned 450 total points
ID: 20414737
This script will tell you when a specific user's password will expire, as far as resetting the time until it does, you can script that. You would have to modify the password policy for the domain. This script assumes that you want information on user myerken in the management OU on the fabrikam.com domain. Change to your liking. If you have some programming skills you can export your user list from AD into a text file that feeds into a loop so that you can run this against all of your users in AD.

Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
 
Set objUserLDAP = GetObject _
  ("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")
intCurrentValue = objUserLDAP.Get("userAccountControl")
 
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
    Wscript.Echo "The password does not expire."
Else
    dtmValue = objUserLDAP.PasswordLastChanged
    Wscript.Echo "The password was last changed on " & _
        DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
            "The difference between when the password was last set" &  _
                "and today is " & int(now - dtmValue) & " days"
    intTimeInterval = int(now - dtmValue)
 
    Set objDomainNT = GetObject("WinNT://fabrikam")
    intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
    If intMaxPwdAge < 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _
            "domain. Therefore, the password does not expire."
    Else
        intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
        Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
        If intTimeInterval >= intMaxPwdAge Then
          Wscript.Echo "The password has expired."
        Else
          Wscript.Echo "The password will expire on " & _
              DateValue(dtmValue + intMaxPwdAge) & " (" & _
                  int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
                      ")."
        End If
    End If
End If
      
0
 

Author Comment

by:uxphreak
ID: 20414875
Thanks, everyone, for the response.

I had found the code MeCanHelp posted prior to posting my question, and after receiving LauraEHunterMVP's response I chose to modify that code to perform e-mail notification to users so that they are aware they will need to change their password.

Once I complete my tweaks I'll post the final code.

Thanks again.
0
 

Author Comment

by:uxphreak
ID: 20434783
Somewhat similar to the code MeCanHelp referenced, I've made some additions that identify users whose passwords will be expiring on a given date, send them an e-mail notification 14 days prior to that date (or whenever the script is run), set their account to require the user to change their password upon next logon on the date it is set to expire, and disable the account if the expiration date has been reached.

Your comments/additions are much appreciated, and also please be aware that my code may not be as efficient as possible due to my limited programming experience.

Thanks to everyone for their input.
'==========================================================================
'
' NAME: PswdExpireEmail.vbs
'
' AUTHOR:  David Varela, vbScript N00b
' DATE:  12/07/2007
' VERSION:  1.0
'
' COMMENT:  Determine when a user's password was last changed, and if the password
'           is 14 days from expiring send him/her an e-mail advising their password
'           must be changed.  The logic defines variables for the user's sAMAccountName,
'           DistinguishedName, mail, and DisplayName values, and identifies the OU the
'           user is contained in.  If the user does not have an e-mail address, their
'           supervisor, identified by the OU the user exists in, will be sent an e-mail
'           regarding the user's password expiration status.  If the user does not change
'           their password before the day it is set to expire, their account will be set
'           to change their password on the day it is set to expire.  If the user does
'           not change their password on or before the date it is set to expire, the
'           account will be disabled.
'
'==========================================================================
On Error Resume Next
strComputer = "."
'''''''''''''''''''''''''''
Const ADS_SCOPE_SUBTREE = 2
Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
 
'Create an Array of sAMAccountName's that you wish to exclude from being evaluated by this script
'''''''''''''''''''''''''''
Dim UserArray(1) 'Remember to change the value in parenthesis to equal the total Qty of items in the array
 
UserArray(0) = "GAK" 'Replace GAK with the sAMAccountName of the user to exclude.  Increment the value in parenthesis for each
                     'item in the Array
'''''''''''''''''''''''''''
'ADO is used to access Active Directory.  This should not be changed
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject("LDAP://rootDSE")
 
DomainString = objRootDSE.Get("dnsHostName")
 
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 
'''''''''''''''''''''''''''
'The SELECT statement retrieves each user's DisplayName, Mail, DistinguishedName, and sAMAccountName values for all users in
'Active Directory
objCommand.CommandText = "SELECT DisplayName,mail,DistinguishedName,sAMAccountName  FROM 'LDAP://dc=<DOMAIN>,dc=<COM>'" & _
    " WHERE objectCategory='user'" 'Be sure to specify your Domain information in DC=<>,DC=<>
Set objRecordSet = objCommand.Execute
 
'The meat of the logic is defined in the following DO Loop.
'This loop will execute for each user in AD, except for those specified in UserArray
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
    strUser = objRecordSet.Fields("sAMAccountName").Value
    strDN = objRecordSet.Fields("DistinguishedName").Value
    strMail = objRecordSet.Fields("mail").Value
    strFullName = objRecordSet.Fields("DisplayName").Value
    
    arrPath = Split(strDN, ",")
    intLength = Len(arrPath(1))
    intNameLength = intLength - 3
    strOU = Right(arrPath(1), intNameLength)
    
    i = 1
 
'This is where the user will be checked against UserArray.
'If the user exists in the array, flag it for exclusion
    For Each b In UserArray
        If b = strUser Then
            i = 0
        End If
    Next
 
'If the user is not in UserArray, perform the Password Expiration check
    If i <> 0 Then
        For Each objItem in strUser
            Set objUserLDAP = GetObject ("LDAP://" & strDN & "")
            intCurrentValue = objUserLDAP.Get("userAccountControl")
 
            If intCurrentValue And ADS_UF_DONT_EXPIRE_PASSWD Then 'If the user's password is set to not expire
                                                                  'then do not do anything further
                WScript.Echo "The password for user " & strUser & " was set to not expire."
            Else
                dtmValue = objUserLDAP.PasswordLastChanged 'The latest date the user changed her/his password
                strDays = DateDiff("d", Now, "12/21/2007") 'Specify which date you wish to evaluate against
                str90Days = Int(Now + strDays - 90) 'Determines what date is 90 days from the date specified above
                    If DateValue(dtmValue) < str90Days And strDays > 0 Then 'If the user's password will expire on
                                                                            'the date you specified AND today is
                                                                            'before that date, send the user an
                                                                            'e-mail.
                        If strMail <> "" Then
                            Set objEmail = CreateObject("CDO.Message")
                            objEmail.From = "<IT e-mail Address>"
                            objEmail.To = "" & strMail & ""
                            objEmail.Subject = "Password about to expire."
                            objEmail.Textbody = "Your password will expire in " & strDays & " days.  Please change your" & _
                                " password before December 21st to avoid being restricted from the Domain.  If you have" & _
                                " any questions please contact the IT Department."
                            objEmail.Send
                        Else 'If the user does not have an e-mail address, send an e-mail to their supervisor
                            If strOU = "<OU Name1>" Then
                                strTo = "<Supervisor1 e-mail address>"
                            ElseIf strOU = "<OU Name2>" Then
                                strTo = "<Supervisor2 e-mail address>"
                            Else
                                strTo = "<IT e-mail address>"
                            End If
                                Set objEmail = CreateObject("CDO.Message")
                                objEmail.From = "<IT e-mail Address>"
                                objEmail.To = strTo
                                objEmail.Subject = "Password about to expire for " & strFullName & "."
                                objEmail.Textbody = "" & strFullName & "'s password will expire in " & strDays & " days." & _
                                    "  Please advise her/him that she/he must change her/his password before December 21st to" & _
                                    " avoid being restricted from the Domain.  If you have any questions please contact the" & _
                                    " IT Department."
                                objEmail.Send
                        End If
                    ElseIf DateValue(dtmValue) < str90Days  And strDays = 0 Then 'If the user's password will expire
                                                                                 'at the end of the day today, set their
                                                                                 'account to change the password on next logon.
                        objUserLDAP.Put "PwdLastSet", 0
                        objUserLDAP.SetInfo
                        WScript.Echo "User " & strUser & "'s account has been set to change password upon next logon."
                    ElseIf DateValue(dtmValue) < str90Days And strDay < 0 Then 'If the user's password was set to expire
                                                                               'on the date specified and that date has passed,
                                                                               'disable the user's account.
                        objUserLDAP.AccountExpirationDate = strYstrDay
                        objUserLDAP.SetInfo
                        WScript.Echo "User " & strUser & "'s account has been disabled due to expired password."
                    Else 'If this user's password has been changed recently, do not do anything
                        WScript.Echo "" & strFullName & "'s password was last changed on " & DateValue(dtmValue)
                    End If
            End If
        Next
End If
    objRecordSet.MoveNext
Loop
 
Set objConnection = Nothing
Set objCommand = Nothing
Set objCommand.ActiveConnection = Nothing
Set objRootDSE = Nothing
Set objRecordSet = Nothing
Set objUserLDAP = Nothing
Set objEmail = Nothing
 
WScript.Quit

Open in new window

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question