Solved

Enabling "User must change password at first login"

Posted on 2008-06-12
4
3,167 Views
Last Modified: 2010-05-18
So my code has been working fine for a while now.  I attempted to get the "User Must Change Password at First Login" to be checked, but it NEVER worked.  All the rest is fine, like I said.

I think my issue lies with not Powershell, but with ADSI.  I looked around for a couple days on the net a while back, and didn't find a way to do this.  I tried to to use the -objectAttributes custom change, but that didn't work either.  From what I recall, if you change the pwdLastSet to 0, and then set userAccountControl to 512, you should be able to get the "User Must Change..." to be checked.  Obviously this didn't work.  Anyone have any ideas?  BSonPosh?  I got some more questions for you after this one too, so stay tuned :)

And also I have QAD addin installed.  At the time I write this script (February I think), I had the latest QAD release.  I don't think the problem resides in the QAD though.  In thinking about this as I'm writing, I'm also wondering if I would have to change that attribute AFTER I create the account.  Which I think I might have tried, but I can't really recall.

Thanks for any help in advance.
New-QADUser -ParentContainer 'ou=NewUsers, ou=Users, dc=Contoso, dc=com' `
 -Name $strName `
 -Description $strDescription `
 -sAMAccountName $sAMAccountName `
 -UserPrincipalName $userPName `
 -lastName $strLast `
 -FirstName $strFirst `
 -displayName $strDisplayName `
 -userPassword 'userPassword' `
 -office $strOffice `
 -phone $strPhone `
 -objectAttributes @{accountExpires = '123123432000000000'; `
 scriptPath = 'logon.bat'; `
 pwdLastSet = '0'; `
 userAccountControl = '512'}

Open in new window

0
Comment
Question by:Dale Harris
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 18

Accepted Solution

by:
BSonPosh earned 500 total points
ID: 21770188
Setting pwdLastSet to "0" should indeed check that box in the GUI. The userAccountControl is not needed. That just enable/disables the user. Quest has cmdlets for those enable-qaduser.

Why are you setting accountExpires?

And yes... you should do a two step process (three really)
create user
set properties
enable user
0
 
LVL 16

Author Comment

by:Dale Harris
ID: 21785575
The reason why I have the userAccountControl in there is because it's only one extra part, and if I had to do Enable-QADuser, it would be a separate command.

I created a timer to basically set a delay using the get-date class (3 seconds).
That was because I was having a hard time finding the user after immediately creating them.

Then I put in the information to be changed:

Set-QADUser -identity "domain\$username" -objectAttributes @{pwdLastSet = '0';UserAccountControl='512'}

Thanks for your help Brandon.

It works great now.  My next question that I'm going to submit (is this allowed to say this) is I'm trying to create mailboxes for exchange 2003 for each person that I create with my script.  And I found some pretty gnarly ways to do it, but they look REALLY complex, and I was going to ask if you knew a way to do it that's easier, and just default.  Just like  you would if you were doing an "exchange tasks -> Create Mailbox -> Pick server -> Done".  That's default!  Why does it have to be so freaking complex!  I'm going to give you the points right now, and then submit the new question after dinner time.

Also, I finally got Bruce Payette's "Powershell in Action" book.

I can't believe I didn't read it when I first started 6 months ago in Powershell.  I regret not buying it until now.
It's a great read, and I recommend it for anyone wanting to get into Powershell.

-Dale Harris
0
 
LVL 16

Author Closing Comment

by:Dale Harris
ID: 31466467
Again, I can't thank you enough.  You've saved me more time in my day  than I can ever pay back.  You know Powershell... truly.
-Dale Harris
0
 
LVL 18

Expert Comment

by:BSonPosh
ID: 21786782
you need to be careful setting userAccountControl. It is a bitwise and you could end up breaking it.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question