• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 549
  • Last Modified:

LDAP/Script Question....

While testing a GPO to require users to change passwords every 90 days...I accidently applied it.

Now all my off-site users who use OWA only can't log into OWA, needless to say they can't change their password.

I need to reverse that GPO settings and the only way to remove the "user must change password at next login" flag seems to be modifying this flag


to -1 instead of "0"

The script according to this KB article:  http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx?mfr=true

Gives me the following code

Set objUser = GetObject _
objUser.Put "pwdLastSet", -1

But how can I modify that LDAP query to say ALL USERS??

Unless of course I'm going about this the long way.  I simply want to reset the flag that says users must change password at next login to continue to let them use the password they already have.  Versus forcing them to change it.
1 Solution
You should look into using the DSQUERY and DSMOD tools to do this.

You would use DSQUERY to get a list of all users, then pipe the results to DSMOD, which would change that flag.

You can see this page as a reference.  You will need to modify their examples of course:

derrickonlineAuthor Commented:
Resolved my own issue....

Setting the password never expires flag took precedance over password already expired flag.

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now