Changing AD Password

Raimson
Raimson used Ask the Experts™
on
When resetting a password in a Windows 2003 AD enviroment one of the options is to put a check box in User must change password at next logon.  Is there a way to change and make the default with the check box already there?


AD-Reset.jpg
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Administrator
Commented:
Commented:
Yep, the lack of that being enforced from the out-of-the-box GUI is the reason so many folks use scripted or coded solutions of their own. If you need a GUI that can be used, a simple asp.net application is probably the best solution, though that does require someone that knows how to do that being available. Well, actually, you just about only need someone that can figure out getting the application hosted on a web page and working becuase you can find the code all over the place for doig simple AD account management functions like this.
A powershell or VB script is the simplest way to do it, an again those are freely available all over the place to give a shortcut for that option as well.
 
bluntTonyHead of ICT
Top Expert 2009
Commented:
You can add a script which does this into ADUC using displaySpecifiers. This will give you an option when you right click a user, to reset their password and set to make the user change it. The limitation of this is that it's VBScript which uses an inputBox which doesn't mask the password as you type it:
The steps are:
1. Save the below script as 'changePassword.vbs' and save it in the NETLOGON share on your DC.
2. Using ADSIEDIT, browse to:
CN=user-Display,CN=409,CN=DisplaySpecifiers,CN=Configuration,DC=domain,DC=local
(obviously the DC bits will be different for you, and 409 refers to English)
3. In the properties of this object, edit the adminContextMenu attribute. You'll need to add a value to this list, usually 4 if this is the first time. Add the line similar to this:
4, &Reset Password (force change),\\domain\netlogon\changePassword.vbs
(where 'Reset Password (force change)' is how the menu option will appear, and is followed by the UNC path to the script you saved in NETLOGON.
OK and close all of this.
Now when you right-click a user in ADUC and select this option, the script will be launched, and it will prompt you to change the password and confirm it. It will automatically force the user to reset their password on next logon. You can change the script to suit your needs, but leave the first line as it is.
I know this isn't brilliant, but it's quick and easy and saves you creating your own form or application!
Hope it helps...

Wscript.Echo Wscript.Arguments(0)
 
Set objUser = GetObject(WScript.Arguments(0))
 
strPassword1 = InputBox("Reset Password For: " & objUser.cn & vbcrlf & _
	"User must change this password on next logon", "Password:")
 
If strPassword1 = "" Then
	Wscript.Quit
Else
	strPassword2 = InputBox("Confirm Password:")
 
	If strPassword1 = strPassword2 Then
		objUser.SetPassword strPassword1
		objUser.Put "pwdLastSet", 0
		objUser.SetInfo
		MsgBox("Password changed!")
	Else
		MsgBox("Passwords Do Not Match! Cancelling.")
	End If
End if
 
Set objUser = Nothing

Open in new window

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial