Link to home
Start Free TrialLog in
Avatar of Dale Harris
Dale HarrisFlag for United States of America

asked on

Enabling "User must change password at first login"

So my code has been working fine for a while now.  I attempted to get the "User Must Change Password at First Login" to be checked, but it NEVER worked.  All the rest is fine, like I said.

I think my issue lies with not Powershell, but with ADSI.  I looked around for a couple days on the net a while back, and didn't find a way to do this.  I tried to to use the -objectAttributes custom change, but that didn't work either.  From what I recall, if you change the pwdLastSet to 0, and then set userAccountControl to 512, you should be able to get the "User Must Change..." to be checked.  Obviously this didn't work.  Anyone have any ideas?  BSonPosh?  I got some more questions for you after this one too, so stay tuned :)

And also I have QAD addin installed.  At the time I write this script (February I think), I had the latest QAD release.  I don't think the problem resides in the QAD though.  In thinking about this as I'm writing, I'm also wondering if I would have to change that attribute AFTER I create the account.  Which I think I might have tried, but I can't really recall.

Thanks for any help in advance.
New-QADUser -ParentContainer 'ou=NewUsers, ou=Users, dc=Contoso, dc=com' `
 -Name $strName `
 -Description $strDescription `
 -sAMAccountName $sAMAccountName `
 -UserPrincipalName $userPName `
 -lastName $strLast `
 -FirstName $strFirst `
 -displayName $strDisplayName `
 -userPassword 'userPassword' `
 -office $strOffice `
 -phone $strPhone `
 -objectAttributes @{accountExpires = '123123432000000000'; `
 scriptPath = 'logon.bat'; `
 pwdLastSet = '0'; `
 userAccountControl = '512'}

Open in new window

ASKER CERTIFIED SOLUTION
Avatar of BSonPosh
BSonPosh
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dale Harris
Dale Harris
Flag of United States of America image

ASKER

The reason why I have the userAccountControl in there is because it's only one extra part, and if I had to do Enable-QADuser, it would be a separate command.

I created a timer to basically set a delay using the get-date class (3 seconds).
That was because I was having a hard time finding the user after immediately creating them.

Then I put in the information to be changed:

Set-QADUser -identity "domain\$username" -objectAttributes @{pwdLastSet = '0';UserAccountControl='512'}

Thanks for your help Brandon.

It works great now.  My next question that I'm going to submit (is this allowed to say this) is I'm trying to create mailboxes for exchange 2003 for each person that I create with my script.  And I found some pretty gnarly ways to do it, but they look REALLY complex, and I was going to ask if you knew a way to do it that's easier, and just default.  Just like  you would if you were doing an "exchange tasks -> Create Mailbox -> Pick server -> Done".  That's default!  Why does it have to be so freaking complex!  I'm going to give you the points right now, and then submit the new question after dinner time.

Also, I finally got Bruce Payette's "Powershell in Action" book.

I can't believe I didn't read it when I first started 6 months ago in Powershell.  I regret not buying it until now.
It's a great read, and I recommend it for anyone wanting to get into Powershell.

-Dale Harris
Avatar of Dale Harris
Dale Harris
Flag of United States of America image

ASKER

Again, I can't thank you enough.  You've saved me more time in my day  than I can ever pay back.  You know Powershell... truly.
-Dale Harris
Avatar of BSonPosh
BSonPosh
Flag of United States of America image
you need to be careful setting userAccountControl. It is a bitwise and you could end up breaking it.