maharlika
asked on
Force password change for domain users
We have a Windows 2003 Domain Controller with Active Directory. I will change the domain policy to require password complexity, change password every 60 days, etc. I know there are accounts in Active Directory where the "password never expires" option is checked. How can I easily find all of them that have this option checked without going through each account individually? Also, when I change the default domain policy for passwords, will this override the individual accounts option (i.e. if the domain policy says it has to be change every 60 days, will this override the "password never expires" option)?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
@xxdcmast: Wow! Nice script. I have been trying to figure a way to do this for my environment. Not to steal anyone's thunder but thanks for the script!
I second that, very simpe..
the following query should do the same as the above query but using an LDAP filter.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsget user -ln -fn -pwdneverexpires
Now you may want to do some testing on this but the script below should CHANGE them all to uncheck the password never expires.
Be careful with the script below.
Be careful with the script below.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsmod user -pwdneverexpires no
ASKER
xxdcmast, thanks for the great script.
Also: if password never expires = yes, does that override the default domain policy that says it has to be changed every 60 days?
Also: if password never expires = yes, does that override the default domain policy that says it has to be changed every 60 days?
Thats a good question I would assume that the settings in AD would override the default domain policy but honestly I cant say for sure.
You could always test it out by setting a gpo on a TEST OU with password change of 1 day and see what happens.
You could always test it out by setting a gpo on a TEST OU with password change of 1 day and see what happens.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0829.mspx
If you want thelp with script post back...