Force password change for domain users

We have a Windows 2003 Domain Controller with Active Directory.  I will change the domain policy to require password complexity, change password every 60 days, etc.  I know there are accounts in Active Directory where the "password never expires" option is checked.  How can I easily find all of them that have this option checked without going through each account individually?  Also, when I change the default domain policy for passwords, will this override the individual accounts option (i.e. if the domain policy says it has to be change every 60 days, will this override the "password never expires" option)?
LVL 3
maharlikaAsked:
Who is Participating?
 
Joseph DalyConnect With a Mentor Commented:
Here you go. What the below script does is query every user account in AD and then will return their last name, first name, and wether their password never expires mark is checked.
dsquery user -samid * -limit 0| dsget user -ln -fn -pwdneverexpires

Open in new window

0
 
JohnGerhardtCommented:
Have a look @ this..
http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0829.mspx
If you want thelp with script post back...
0
 
samiam41Commented:
@xxdcmast:  Wow!  Nice script.  I have been trying to figure a way to do this for my environment.  Not to steal anyone's thunder but thanks for the script!
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
JohnGerhardtCommented:
I second that, very simpe..
0
 
Joseph DalyCommented:
the following query should do the same as the above query but using an LDAP filter.

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsget user -ln -fn -pwdneverexpires

Open in new window

0
 
Joseph DalyCommented:
Now you may want to do some testing on this but the script below should CHANGE them all to uncheck the password never expires.

Be careful with the script below.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsmod user  -pwdneverexpires no

Open in new window

0
 
maharlikaAuthor Commented:
xxdcmast, thanks for the great script.
Also: if password never expires = yes, does that override the default domain policy that says it has to be changed every 60 days?
0
 
Joseph DalyCommented:
Thats a good question I would assume that the settings in AD would override the default domain policy but honestly I cant say for sure.

You could always test it out by setting a gpo on a TEST OU with password change of 1 day and see what happens.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.