Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Enabling "User must change password at first login"

Posted on 2008-06-12
4
Medium Priority
?
3,185 Views
Last Modified: 2010-05-18
So my code has been working fine for a while now.  I attempted to get the "User Must Change Password at First Login" to be checked, but it NEVER worked.  All the rest is fine, like I said.

I think my issue lies with not Powershell, but with ADSI.  I looked around for a couple days on the net a while back, and didn't find a way to do this.  I tried to to use the -objectAttributes custom change, but that didn't work either.  From what I recall, if you change the pwdLastSet to 0, and then set userAccountControl to 512, you should be able to get the "User Must Change..." to be checked.  Obviously this didn't work.  Anyone have any ideas?  BSonPosh?  I got some more questions for you after this one too, so stay tuned :)

And also I have QAD addin installed.  At the time I write this script (February I think), I had the latest QAD release.  I don't think the problem resides in the QAD though.  In thinking about this as I'm writing, I'm also wondering if I would have to change that attribute AFTER I create the account.  Which I think I might have tried, but I can't really recall.

Thanks for any help in advance.
New-QADUser -ParentContainer 'ou=NewUsers, ou=Users, dc=Contoso, dc=com' `
 -Name $strName `
 -Description $strDescription `
 -sAMAccountName $sAMAccountName `
 -UserPrincipalName $userPName `
 -lastName $strLast `
 -FirstName $strFirst `
 -displayName $strDisplayName `
 -userPassword 'userPassword' `
 -office $strOffice `
 -phone $strPhone `
 -objectAttributes @{accountExpires = '123123432000000000'; `
 scriptPath = 'logon.bat'; `
 pwdLastSet = '0'; `
 userAccountControl = '512'}

Open in new window

0
Comment
Question by:Dale Harris
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
BSonPosh earned 2000 total points
ID: 21770188
Setting pwdLastSet to "0" should indeed check that box in the GUI. The userAccountControl is not needed. That just enable/disables the user. Quest has cmdlets for those enable-qaduser.

Why are you setting accountExpires?

And yes... you should do a two step process (three really)
create user
set properties
enable user
0
 
LVL 16

Author Comment

by:Dale Harris
ID: 21785575
The reason why I have the userAccountControl in there is because it's only one extra part, and if I had to do Enable-QADuser, it would be a separate command.

I created a timer to basically set a delay using the get-date class (3 seconds).
That was because I was having a hard time finding the user after immediately creating them.

Then I put in the information to be changed:

Set-QADUser -identity "domain\$username" -objectAttributes @{pwdLastSet = '0';UserAccountControl='512'}

Thanks for your help Brandon.

It works great now.  My next question that I'm going to submit (is this allowed to say this) is I'm trying to create mailboxes for exchange 2003 for each person that I create with my script.  And I found some pretty gnarly ways to do it, but they look REALLY complex, and I was going to ask if you knew a way to do it that's easier, and just default.  Just like  you would if you were doing an "exchange tasks -> Create Mailbox -> Pick server -> Done".  That's default!  Why does it have to be so freaking complex!  I'm going to give you the points right now, and then submit the new question after dinner time.

Also, I finally got Bruce Payette's "Powershell in Action" book.

I can't believe I didn't read it when I first started 6 months ago in Powershell.  I regret not buying it until now.
It's a great read, and I recommend it for anyone wanting to get into Powershell.

-Dale Harris
0
 
LVL 16

Author Closing Comment

by:Dale Harris
ID: 31466467
Again, I can't thank you enough.  You've saved me more time in my day  than I can ever pay back.  You know Powershell... truly.
-Dale Harris
0
 
LVL 18

Expert Comment

by:BSonPosh
ID: 21786782
you need to be careful setting userAccountControl. It is a bitwise and you could end up breaking it.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Previously, on our Nano Server Deployment series, we've created a new nano server image and deployed it on a physical server in part 2. Now we will go through configuration.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question