Solved

Enabling "User must change password at first login"

Posted on 2008-06-12
4
3,157 Views
Last Modified: 2010-05-18
So my code has been working fine for a while now.  I attempted to get the "User Must Change Password at First Login" to be checked, but it NEVER worked.  All the rest is fine, like I said.

I think my issue lies with not Powershell, but with ADSI.  I looked around for a couple days on the net a while back, and didn't find a way to do this.  I tried to to use the -objectAttributes custom change, but that didn't work either.  From what I recall, if you change the pwdLastSet to 0, and then set userAccountControl to 512, you should be able to get the "User Must Change..." to be checked.  Obviously this didn't work.  Anyone have any ideas?  BSonPosh?  I got some more questions for you after this one too, so stay tuned :)

And also I have QAD addin installed.  At the time I write this script (February I think), I had the latest QAD release.  I don't think the problem resides in the QAD though.  In thinking about this as I'm writing, I'm also wondering if I would have to change that attribute AFTER I create the account.  Which I think I might have tried, but I can't really recall.

Thanks for any help in advance.
New-QADUser -ParentContainer 'ou=NewUsers, ou=Users, dc=Contoso, dc=com' `

 -Name $strName `

 -Description $strDescription `

 -sAMAccountName $sAMAccountName `

 -UserPrincipalName $userPName `

 -lastName $strLast `

 -FirstName $strFirst `

 -displayName $strDisplayName `

 -userPassword 'userPassword' `

 -office $strOffice `

 -phone $strPhone `

 -objectAttributes @{accountExpires = '123123432000000000'; `

 scriptPath = 'logon.bat'; `

 pwdLastSet = '0'; `

 userAccountControl = '512'}

Open in new window

0
Comment
Question by:Dale Harris
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
BSonPosh earned 500 total points
Comment Utility
Setting pwdLastSet to "0" should indeed check that box in the GUI. The userAccountControl is not needed. That just enable/disables the user. Quest has cmdlets for those enable-qaduser.

Why are you setting accountExpires?

And yes... you should do a two step process (three really)
create user
set properties
enable user
0
 
LVL 16

Author Comment

by:Dale Harris
Comment Utility
The reason why I have the userAccountControl in there is because it's only one extra part, and if I had to do Enable-QADuser, it would be a separate command.

I created a timer to basically set a delay using the get-date class (3 seconds).
That was because I was having a hard time finding the user after immediately creating them.

Then I put in the information to be changed:

Set-QADUser -identity "domain\$username" -objectAttributes @{pwdLastSet = '0';UserAccountControl='512'}

Thanks for your help Brandon.

It works great now.  My next question that I'm going to submit (is this allowed to say this) is I'm trying to create mailboxes for exchange 2003 for each person that I create with my script.  And I found some pretty gnarly ways to do it, but they look REALLY complex, and I was going to ask if you knew a way to do it that's easier, and just default.  Just like  you would if you were doing an "exchange tasks -> Create Mailbox -> Pick server -> Done".  That's default!  Why does it have to be so freaking complex!  I'm going to give you the points right now, and then submit the new question after dinner time.

Also, I finally got Bruce Payette's "Powershell in Action" book.

I can't believe I didn't read it when I first started 6 months ago in Powershell.  I regret not buying it until now.
It's a great read, and I recommend it for anyone wanting to get into Powershell.

-Dale Harris
0
 
LVL 16

Author Closing Comment

by:Dale Harris
Comment Utility
Again, I can't thank you enough.  You've saved me more time in my day  than I can ever pay back.  You know Powershell... truly.
-Dale Harris
0
 
LVL 18

Expert Comment

by:BSonPosh
Comment Utility
you need to be careful setting userAccountControl. It is a bitwise and you could end up breaking it.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

This is a PowerShell web interface I use to manage some task as a network administrator. Clicking an action button on the left frame will display a form in the middle frame to input some data in textboxes, process this data in PowerShell and display…
Synchronize a new Active Directory domain with an existing Office 365 tenant
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now