Link to home
Start Free TrialLog in
Avatar of maharlika
maharlika

asked on

Force password change for domain users

We have a Windows 2003 Domain Controller with Active Directory.  I will change the domain policy to require password complexity, change password every 60 days, etc.  I know there are accounts in Active Directory where the "password never expires" option is checked.  How can I easily find all of them that have this option checked without going through each account individually?  Also, when I change the default domain policy for passwords, will this override the individual accounts option (i.e. if the domain policy says it has to be change every 60 days, will this override the "password never expires" option)?
Avatar of JohnGerhardt
JohnGerhardt
Flag of Switzerland image
Have a look @ this..
http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0829.mspx
If you want thelp with script post back...
ASKER CERTIFIED SOLUTION
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of samiam41
samiam41
Flag of United States of America image
@xxdcmast:  Wow!  Nice script.  I have been trying to figure a way to do this for my environment.  Not to steal anyone's thunder but thanks for the script!
Avatar of JohnGerhardt
JohnGerhardt
Flag of Switzerland image
I second that, very simpe..
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image
the following query should do the same as the above query but using an LDAP filter.

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsget user -ln -fn -pwdneverexpires

Open in new window

Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image
Now you may want to do some testing on this but the script below should CHANGE them all to uncheck the password never expires.

Be careful with the script below. 
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsmod user  -pwdneverexpires no

Open in new window

Avatar of maharlika
maharlika

ASKER

xxdcmast, thanks for the great script.
Also: if password never expires = yes, does that override the default domain policy that says it has to be changed every 60 days?
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image
Thats a good question I would assume that the settings in AD would override the default domain policy but honestly I cant say for sure.

You could always test it out by setting a gpo on a TEST OU with password change of 1 day and see what happens.