Solved

Resetting all user accounts to change their password within the next 14 days

Posted on 2007-12-05
8
703 Views
Last Modified: 2008-05-31
Hello,

I was wondering if there is a way to reset all user accounts in AD to require them to change their passwords within the next 14 days.  Some of the users have been on the domain for over a year, while most have been in the domain for almost 90 days, and the remaining user have been added within the last 60 days.  I know I can create a GPO and set the Password Policy, but I need a way to effectively handle the user accounts that have not changed their passwords since their accounts have been in the Domain.

Is there a way to assign/change the date the user's password was last changed?  If so I could write a vbscript program that would reset those accounts that have not changed their password within the last 90 days and create the Password Policy, which would allow Windows to notify the user to change their password in the next 14 days when they log in.

Thanks.
0
Comment
Question by:uxphreak
8 Comments
 
LVL 6

Expert Comment

by:dnudelman
ID: 20412909
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
0
 
LVL 6

Expert Comment

by:dnudelman
ID: 20412910
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
0
 
LVL 6

Expert Comment

by:dnudelman
ID: 20412911
Under the security policy reset account expiry to desabled.
Apply.
Set account to expire in 14 days again.
You should get the disired result.
0
 
LVL 12

Expert Comment

by:chandru_sol
ID: 20412913
Will it be fine if we can find the password last changed for all the users?
0
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 350 total points
ID: 20412969
dnudelman's instructions are incorrect - setting an expiration date on a user's account will prevent the user from logging in entirely; it expires the entire account, not the password.

Unfortunately, the date/time that a password was last set cannot be modified by an administrator; this field is controlled internally by Active Directory.  The closest you can come to the behaviour you are describing is to flag the "user must change password on next logon" feature on the user account, but this will not achieve the "within 14 days" requirement.

Best way to achieve this, IMO, will be to set the "user must change..." flag in stages so that your help desk is not flooded with calls: if you have 1000 users, set this flag on 50 users at a time until finished, for example.
0
 
LVL 4

Assisted Solution

by:MeCanHelp
MeCanHelp earned 150 total points
ID: 20414737
This script will tell you when a specific user's password will expire, as far as resetting the time until it does, you can script that. You would have to modify the password policy for the domain. This script assumes that you want information on user myerken in the management OU on the fabrikam.com domain. Change to your liking. If you have some programming skills you can export your user list from AD into a text file that feeds into a loop so that you can run this against all of your users in AD.

Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
 
Set objUserLDAP = GetObject _
  ("LDAP://CN=myerken,OU=management,DC=fabrikam,DC=com")
intCurrentValue = objUserLDAP.Get("userAccountControl")
 
If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
    Wscript.Echo "The password does not expire."
Else
    dtmValue = objUserLDAP.PasswordLastChanged
    Wscript.Echo "The password was last changed on " & _
        DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
            "The difference between when the password was last set" &  _
                "and today is " & int(now - dtmValue) & " days"
    intTimeInterval = int(now - dtmValue)
 
    Set objDomainNT = GetObject("WinNT://fabrikam")
    intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
    If intMaxPwdAge < 0 Then
        WScript.Echo "The Maximum Password Age is set to 0 in the " & _
            "domain. Therefore, the password does not expire."
    Else
        intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
        Wscript.Echo "The maximum password age is " & intMaxPwdAge & " days"
        If intTimeInterval >= intMaxPwdAge Then
          Wscript.Echo "The password has expired."
        Else
          Wscript.Echo "The password will expire on " & _
              DateValue(dtmValue + intMaxPwdAge) & " (" & _
                  int((dtmValue + intMaxPwdAge) - now) & " days from today" & _
                      ")."
        End If
    End If
End If
      
0
 

Author Comment

by:uxphreak
ID: 20414875
Thanks, everyone, for the response.

I had found the code MeCanHelp posted prior to posting my question, and after receiving LauraEHunterMVP's response I chose to modify that code to perform e-mail notification to users so that they are aware they will need to change their password.

Once I complete my tweaks I'll post the final code.

Thanks again.
0
 

Author Comment

by:uxphreak
ID: 20434783
Somewhat similar to the code MeCanHelp referenced, I've made some additions that identify users whose passwords will be expiring on a given date, send them an e-mail notification 14 days prior to that date (or whenever the script is run), set their account to require the user to change their password upon next logon on the date it is set to expire, and disable the account if the expiration date has been reached.

Your comments/additions are much appreciated, and also please be aware that my code may not be as efficient as possible due to my limited programming experience.

Thanks to everyone for their input.
'==========================================================================

'

' NAME: PswdExpireEmail.vbs

'

' AUTHOR:  David Varela, vbScript N00b

' DATE:  12/07/2007

' VERSION:  1.0

'

' COMMENT:  Determine when a user's password was last changed, and if the password

'           is 14 days from expiring send him/her an e-mail advising their password

'           must be changed.  The logic defines variables for the user's sAMAccountName,

'           DistinguishedName, mail, and DisplayName values, and identifies the OU the

'           user is contained in.  If the user does not have an e-mail address, their

'           supervisor, identified by the OU the user exists in, will be sent an e-mail

'           regarding the user's password expiration status.  If the user does not change

'           their password before the day it is set to expire, their account will be set

'           to change their password on the day it is set to expire.  If the user does

'           not change their password on or before the date it is set to expire, the

'           account will be disabled.

'

'==========================================================================

On Error Resume Next

strComputer = "."

'''''''''''''''''''''''''''

Const ADS_SCOPE_SUBTREE = 2

Const SEC_IN_DAY = 86400

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
 

'Create an Array of sAMAccountName's that you wish to exclude from being evaluated by this script

'''''''''''''''''''''''''''

Dim UserArray(1) 'Remember to change the value in parenthesis to equal the total Qty of items in the array
 

UserArray(0) = "GAK" 'Replace GAK with the sAMAccountName of the user to exclude.  Increment the value in parenthesis for each

                     'item in the Array

'''''''''''''''''''''''''''

'ADO is used to access Active Directory.  This should not be changed

Set objConnection = CreateObject("ADODB.Connection")

Set objCommand = CreateObject("ADODB.Command")

objConnection.Provider = "ADsDSOObject"

objConnection.Open "Active Directory Provider"

Set objCommand.ActiveConnection = objConnection

Set objRootDSE = GetObject("LDAP://rootDSE")
 

DomainString = objRootDSE.Get("dnsHostName")
 

objCommand.Properties("Page Size") = 1000

objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
 

'''''''''''''''''''''''''''

'The SELECT statement retrieves each user's DisplayName, Mail, DistinguishedName, and sAMAccountName values for all users in

'Active Directory

objCommand.CommandText = "SELECT DisplayName,mail,DistinguishedName,sAMAccountName  FROM 'LDAP://dc=<DOMAIN>,dc=<COM>'" & _

    " WHERE objectCategory='user'" 'Be sure to specify your Domain information in DC=<>,DC=<>

Set objRecordSet = objCommand.Execute
 

'The meat of the logic is defined in the following DO Loop.

'This loop will execute for each user in AD, except for those specified in UserArray

objRecordSet.MoveFirst

Do Until objRecordSet.EOF

    strUser = objRecordSet.Fields("sAMAccountName").Value

    strDN = objRecordSet.Fields("DistinguishedName").Value

    strMail = objRecordSet.Fields("mail").Value

    strFullName = objRecordSet.Fields("DisplayName").Value

    

    arrPath = Split(strDN, ",")

    intLength = Len(arrPath(1))

    intNameLength = intLength - 3

    strOU = Right(arrPath(1), intNameLength)

    

    i = 1
 

'This is where the user will be checked against UserArray.

'If the user exists in the array, flag it for exclusion

    For Each b In UserArray

        If b = strUser Then

            i = 0

        End If

    Next
 

'If the user is not in UserArray, perform the Password Expiration check

    If i <> 0 Then

        For Each objItem in strUser

            Set objUserLDAP = GetObject ("LDAP://" & strDN & "")

            intCurrentValue = objUserLDAP.Get("userAccountControl")
 

            If intCurrentValue And ADS_UF_DONT_EXPIRE_PASSWD Then 'If the user's password is set to not expire

                                                                  'then do not do anything further

                WScript.Echo "The password for user " & strUser & " was set to not expire."

            Else

                dtmValue = objUserLDAP.PasswordLastChanged 'The latest date the user changed her/his password

                strDays = DateDiff("d", Now, "12/21/2007") 'Specify which date you wish to evaluate against

                str90Days = Int(Now + strDays - 90) 'Determines what date is 90 days from the date specified above

                    If DateValue(dtmValue) < str90Days And strDays > 0 Then 'If the user's password will expire on

                                                                            'the date you specified AND today is

                                                                            'before that date, send the user an

                                                                            'e-mail.

                        If strMail <> "" Then

                            Set objEmail = CreateObject("CDO.Message")

                            objEmail.From = "<IT e-mail Address>"

                            objEmail.To = "" & strMail & ""

                            objEmail.Subject = "Password about to expire."

                            objEmail.Textbody = "Your password will expire in " & strDays & " days.  Please change your" & _

                                " password before December 21st to avoid being restricted from the Domain.  If you have" & _

                                " any questions please contact the IT Department."

                            objEmail.Send

                        Else 'If the user does not have an e-mail address, send an e-mail to their supervisor

                            If strOU = "<OU Name1>" Then

                                strTo = "<Supervisor1 e-mail address>"

                            ElseIf strOU = "<OU Name2>" Then

                                strTo = "<Supervisor2 e-mail address>"

                            Else

                                strTo = "<IT e-mail address>"

                            End If

                                Set objEmail = CreateObject("CDO.Message")

                                objEmail.From = "<IT e-mail Address>"

                                objEmail.To = strTo

                                objEmail.Subject = "Password about to expire for " & strFullName & "."

                                objEmail.Textbody = "" & strFullName & "'s password will expire in " & strDays & " days." & _

                                    "  Please advise her/him that she/he must change her/his password before December 21st to" & _

                                    " avoid being restricted from the Domain.  If you have any questions please contact the" & _

                                    " IT Department."

                                objEmail.Send

                        End If

                    ElseIf DateValue(dtmValue) < str90Days  And strDays = 0 Then 'If the user's password will expire

                                                                                 'at the end of the day today, set their

                                                                                 'account to change the password on next logon.

                        objUserLDAP.Put "PwdLastSet", 0

                        objUserLDAP.SetInfo

                        WScript.Echo "User " & strUser & "'s account has been set to change password upon next logon."

                    ElseIf DateValue(dtmValue) < str90Days And strDay < 0 Then 'If the user's password was set to expire

                                                                               'on the date specified and that date has passed,

                                                                               'disable the user's account.

                        objUserLDAP.AccountExpirationDate = strYstrDay

                        objUserLDAP.SetInfo

                        WScript.Echo "User " & strUser & "'s account has been disabled due to expired password."

                    Else 'If this user's password has been changed recently, do not do anything

                        WScript.Echo "" & strFullName & "'s password was last changed on " & DateValue(dtmValue)

                    End If

            End If

        Next

End If

    objRecordSet.MoveNext

Loop
 

Set objConnection = Nothing

Set objCommand = Nothing

Set objCommand.ActiveConnection = Nothing

Set objRootDSE = Nothing

Set objRecordSet = Nothing

Set objUserLDAP = Nothing

Set objEmail = Nothing
 

WScript.Quit

Open in new window

0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Not long ago I saw a question in the VB Script forum that I thought would not take much time. You can read that question (Question ID  (http://www.experts-exchange.com/Programming/Languages/Visual_Basic/VB_Script/Q_28455246.html)28455246) Here (http…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now