• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

Scripting for changing User attributes

We have a single domain single forest AD 2003 R2 enviroment spread acros various site offices represented by OUs.

The problem is, at the domain level, we have set a policy that password should expire every 90 days but that Domain level policy is probably being overridden by individual user attributes being set for many users that have the 'Password never Expires" checkbox clicked. (As shown in the attached snapshot).

Is there a way / script that would allow me to unmark all the 1000 users 'password never Expires' attribute within one of the OUs?
sshot1.jpg
0
fahim
Asked:
fahim
  • 2
1 Solution
 
a_ro_noCommented:
This might be helpful for you.
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct06/hey1031.mspx

Alhought in this script it is demonstrated how to set the flag for a specific user, with a minor modification you will get the result you want.

First of all you want to query the all users in AD. You will find instructions here:
http://www.microsoft.com/technet/scriptcenter/guide/sas_usr_ykxh.mspx?mfr=true
0
 
-pio-Commented:
Hi,

I've made a script which iterates the defined OU and disables the Password Never Expires flag for every users inside.

Hope it helps.


Regards,
Peter
Option Explicit
 
' Modify it to fit your needs
Const strBase = "<LDAP://OU=DEPARTMENT,DC=my,DC=domain,DC=name>"
 
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
 
Dim adoCommand, adoConnection, strFilter, strAttributes
Dim strQuery, adoRecordset, strEmail, strCN, strDN, strLogin, objUser, intUAC
strDN = ""
	Set adoCommand = CreateObject("ADODB.Command")
	Set adoConnection = CreateObject("ADODB.Connection")
		adoConnection.Provider = "ADsDSOObject"
		adoConnection.Open "Active Directory Provider"
		adoCommand.ActiveConnection = adoConnection
		strFilter = "(&(objectCategory=person)(objectClass=user))"
		strAttributes = "sAMAccountName,cn,distinguishedName"
		strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
		adoCommand.CommandText = strQuery
		adoCommand.Properties("Page Size") = 2048
		adoCommand.Properties("Timeout") = 30
		adoCommand.Properties("Cache Results") = False
	Set adoRecordset = adoCommand.Execute
		Do Until adoRecordset.EOF
		On Error Resume Next
			strLogin = adoRecordset.Fields("sAMAccountName").Value
			strDN = adoRecordset.Fields("distinguishedName").Value
			Set objUser = GetObject("LDAP://" & strDN)
			intUAC = objUser.Get("userAccountControl")
			If (ADS_UF_DONT_EXPIRE_PASSWD AND intUAC)<>ADS_UF_DONT_EXPIRE_PASSWD Then
			    Wscript.Echo "User " & strLogin & ": Password never expires is already disabled"
			Else
			    objUser.Put "userAccountControl", intUAC XOR ADS_UF_DONT_EXPIRE_PASSWD
			    objUser.SetInfo
				If (Err.Number<>0) Then
					WScript.Echo "User " & strLogin & ": CANNOT DISABLE Password Never Expires! Error: " & Err.Number & " " & Err.Description
					Err.Clear
				Else
					WScript.Echo "User " & strLogin & ": Password never expires IS NOW DISABLED"
				End If
			End If
			Set objUser=Nothing
			adoRecordset.MoveNext
		Loop
adoRecordset.Close
adoConnection.Close

Open in new window

0
 
-pio-Commented:
Please note, that you need Administrative privileges for the mentioned OU for the user the script will run by.

Regards,
Peter
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now