LDAP/Script Question....

Posted on 2008-11-13
Last Modified: 2013-12-24
While testing a GPO to require users to change passwords every 90 days...I accidently applied it.

Now all my off-site users who use OWA only can't log into OWA, needless to say they can't change their password.

I need to reverse that GPO settings and the only way to remove the "user must change password at next login" flag seems to be modifying this flag


to -1 instead of "0"

The script according to this KB article:

Gives me the following code

Set objUser = GetObject _
objUser.Put "pwdLastSet", -1

But how can I modify that LDAP query to say ALL USERS??

Unless of course I'm going about this the long way.  I simply want to reset the flag that says users must change password at next login to continue to let them use the password they already have.  Versus forcing them to change it.
Question by:derrickonline
    LVL 16

    Expert Comment

    You should look into using the DSQUERY and DSMOD tools to do this.

    You would use DSQUERY to get a list of all users, then pipe the results to DSMOD, which would change that flag.

    You can see this page as a reference.  You will need to modify their examples of course:


    Accepted Solution

    Resolved my own issue....

    Setting the password never expires flag took precedance over password already expired flag.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    Entering a date in Microsoft Access can be tricky. A typo can cause month and day to be shuffled, entering the day only causes an error, as does entering, say, day 31 in June. This article shows how an inputmask supported by code can help the user a…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now