Force password change for domain users

We have a Windows 2003 Domain Controller with Active Directory.  I will change the domain policy to require password complexity, change password every 60 days, etc.  I know there are accounts in Active Directory where the "password never expires" option is checked.  How can I easily find all of them that have this option checked without going through each account individually?  Also, when I change the default domain policy for passwords, will this override the individual accounts option (i.e. if the domain policy says it has to be change every 60 days, will this override the "password never expires" option)?
LVL 3
maharlikaAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnGerhardtCommented:
Have a look @ this..
http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug05/hey0829.mspx
If you want thelp with script post back...
0
Joseph DalyCommented:
Here you go. What the below script does is query every user account in AD and then will return their last name, first name, and wether their password never expires mark is checked.
dsquery user -samid * -limit 0| dsget user -ln -fn -pwdneverexpires

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
samiam41Commented:
@xxdcmast:  Wow!  Nice script.  I have been trying to figure a way to do this for my environment.  Not to steal anyone's thunder but thanks for the script!
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

JohnGerhardtCommented:
I second that, very simpe..
0
Joseph DalyCommented:
the following query should do the same as the above query but using an LDAP filter.

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsget user -ln -fn -pwdneverexpires

Open in new window

0
Joseph DalyCommented:
Now you may want to do some testing on this but the script below should CHANGE them all to uncheck the password never expires.

Be careful with the script below.
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 |dsmod user  -pwdneverexpires no

Open in new window

0
maharlikaAuthor Commented:
xxdcmast, thanks for the great script.
Also: if password never expires = yes, does that override the default domain policy that says it has to be changed every 60 days?
0
Joseph DalyCommented:
Thats a good question I would assume that the settings in AD would override the default domain policy but honestly I cant say for sure.

You could always test it out by setting a gpo on a TEST OU with password change of 1 day and see what happens.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.