LDAP/Script Question....

While testing a GPO to require users to change passwords every 90 days...I accidently applied it.

Now all my off-site users who use OWA only can't log into OWA, needless to say they can't change their password.

I need to reverse that GPO settings and the only way to remove the "user must change password at next login" flag seems to be modifying this flag


to -1 instead of "0"

The script according to this KB article:  http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_akke.mspx?mfr=true

Gives me the following code

Set objUser = GetObject _
objUser.Put "pwdLastSet", -1

But how can I modify that LDAP query to say ALL USERS??

Unless of course I'm going about this the long way.  I simply want to reset the flag that says users must change password at next login to continue to let them use the password they already have.  Versus forcing them to change it.
Who is Participating?
derrickonlineConnect With a Mentor Author Commented:
Resolved my own issue....

Setting the password never expires flag took precedance over password already expired flag.
You should look into using the DSQUERY and DSMOD tools to do this.

You would use DSQUERY to get a list of all users, then pipe the results to DSMOD, which would change that flag.

You can see this page as a reference.  You will need to modify their examples of course:

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.