zuberlaw
asked on
Force domain users to change their domain passwords every 6 months on specified dates
One of my clients needs a method or script that will force all their staff members in their office to change their network passwords every 6 months on specified dates, such as January 15th and June 15th.
They have a Windows Server 2003 Standard environment with about 30 users in Active Directory all on the same domain. All desktops are Windows XP Pro if that matters, and all servers and desktops are currently updated with all the Microsoft Updates.
All external users use VPN and Remote Desktop to connect to actual desktops on the domain in their office.
They don't want me to change the administrator passwords and such, but they do want all staff members to be forced to change their network passwords on every January 15th and June 15th.
How can I do this? And thanks in advance!
They have a Windows Server 2003 Standard environment with about 30 users in Active Directory all on the same domain. All desktops are Windows XP Pro if that matters, and all servers and desktops are currently updated with all the Microsoft Updates.
All external users use VPN and Remote Desktop to connect to actual desktops on the domain in their office.
They don't want me to change the administrator passwords and such, but they do want all staff members to be forced to change their network passwords on every January 15th and June 15th.
How can I do this? And thanks in advance!
ASKER
All users are in Active Directory under the same subfolder called "Users".
Here is the folder structure in Active Directory:
-- Active directory Users and Computers (Root)
--company.domain.com (subfolder)
--Company Name (subfolder)
--Users (subfolder)
There is also another folder called "Users" on the same folder level as the "Company Name" folder listed above, but the user accounts are in the Users folder under the "Company Name" subfolder at the bottom of the tree above.
Here is the folder structure in Active Directory:
-- Active directory Users and Computers (Root)
--company.domain.com (subfolder)
--Company Name (subfolder)
--Users (subfolder)
There is also another folder called "Users" on the same folder level as the "Company Name" folder listed above, but the user accounts are in the Users folder under the "Company Name" subfolder at the bottom of the tree above.
Ok so thats easy enough, all you need to do is get the distinguished name of that OU.
If you dont know how to get the DN of that ou you can download ADexplorer and use it to browse to your OU and get the distingusihed name.
http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
Before running this script just make sure that none of your admin accounts are in that users folder. And that the account your running the scheduled task with isnt one that is going to have a password change.
If you dont know how to get the DN of that ou you can download ADexplorer and use it to browse to your OU and get the distingusihed name.
http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx
Before running this script just make sure that none of your admin accounts are in that users folder. And that the account your running the scheduled task with isnt one that is going to have a password change.
ASKER
Thanks, so if I want the script to run every 6 months can you show me what the exact script looks like?
I installed ADExplorer, right clicked the Users folders conatining the user accounts and went to copy name. here is the name it gave me:
OU=_Users,OU=ZT,DC=abbgrou
Thanks.
I installed ADExplorer, right clicked the Users folders conatining the user accounts and went to copy name. here is the name it gave me:
OU=_Users,OU=ZT,DC=abbgrou
Thanks.
That dn looks about right. Is there an underscore supposed to be there? I'm thinkin yes but it just looks a little funny.
So what you would do is test that script first on a new ou with only 1 or 2 accounts in it. I never put anything into full scale until I'm sure it works.
Once you have confired the script works take your command and copy and paste into a txt file. Save the file and rename as a bat file.
Once you have the bat file you can use the windows task scheduler in control panel to create a recurring task
When you make the task make sure you set it to run as an account with rights to your ad environment.
That should be it. Again please test this and ask any questions before going full scale on all users
So what you would do is test that script first on a new ou with only 1 or 2 accounts in it. I never put anything into full scale until I'm sure it works.
Once you have confired the script works take your command and copy and paste into a txt file. Save the file and rename as a bat file.
Once you have the bat file you can use the windows task scheduler in control panel to create a recurring task
When you make the task make sure you set it to run as an account with rights to your ad environment.
That should be it. Again please test this and ask any questions before going full scale on all users
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I agree with everything you said arnold. And that is exactly how I have my users/environment set up. The steps I gave above were only to fulfill the requirements of the questions asked. I dont think its the best way but it will do what was needed.
ASKER
Thanks all of you, I really appreciate the help. So ARNOLD/XXDCMAST, with setting up a password expiry policy on the Domain... where do I go to do this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok, I set their GP Account/Password policies to match yours, except that their maximum password age is 183 days, instead of the 90 you have.
The only thing I am not 100% sure on now is what the script should look like. I have confirmed in ADEXplorer that the Users folder containing the user accounts has the name of below (maybe I copied it wrong last time):
OU=_Users,OU=ZT,DC=abbgrou
Thanks so much!
The only thing I am not 100% sure on now is what the script should look like. I have confirmed in ADEXplorer that the Users folder containing the user accounts has the name of below (maybe I copied it wrong last time):
OU=_Users,OU=ZT,DC=abbgrou
Thanks so much!
That looks correct as far as I can tell minus the parts in the brackets.
OU=_Users,OU=ZT,DC=abbgrou
A good way of checking is to start at the furthest rightmost part of it and walk down your AD tree until you get to your _users ou. Everythign should match up.
OU=_Users,OU=ZT,DC=abbgrou
A good way of checking is to start at the furthest rightmost part of it and walk down your AD tree until you get to your _users ou. Everythign should match up.
ASKER
Well, I tried putting the bat file on the server and having it run at a set time using Scheduled tasks, but nothing happens after it runs, and it does say the bat file ran.
Here's what i did without getting it to work... where did I go wrong?
1) I put the following in a bat file:
dsquery user {OU=test,DC=abgroup,DC=abl
test is the name of the user folder I created with a couple accoungs in it.
2) In the Scheduled Tasks I set the time to run the bat file and it says it ran.
3) The users in the "test" group login, but are not asked to do anything. This is after the bat file ran and they restarted their desktops?
Any help would be appreciated?
Here's what i did without getting it to work... where did I go wrong?
1) I put the following in a bat file:
dsquery user {OU=test,DC=abgroup,DC=abl
test is the name of the user folder I created with a couple accoungs in it.
2) In the Scheduled Tasks I set the time to run the bat file and it says it ran.
3) The users in the "test" group login, but are not asked to do anything. This is after the bat file ran and they restarted their desktops?
Any help would be appreciated?
Could you check using the ADUCwhat other settings on the account are set i.e. does it also have password never expires and/or user can not change password? I.e. are you capturing/recording any errors being returned?
Could you see what is being returned from:
dsquery user {OU=test,DC=abgroup,DC=abl
Could you see what is being returned from:
dsquery user {OU=test,DC=abgroup,DC=abl
ASKER
Here is a shot of the settings I see. What pwd settings should be set in the OU? Should the passwords never expire be checked/unchecked, etc.?
Thanks!
ADinfo.jpg
Thanks!
ADinfo.jpg
Could you check the properties of a user in the test OU and see whether their settings are password never expires and user can not change password?
I think if those two are checked, you might not be permitted to set the must change password option without first clearing at least the user can not change password option.
I think if those two are checked, you might not be permitted to set the must change password option without first clearing at least the user can not change password option.
ASKER
Thanks. I checked their settings and they have nothing checked at all.
use GPMC:
Check whether the GPO you created is in sync AD/sysvol numbers for computer configuration and user configuration should match:
i.e. User configuration AD (2) sysvol(1) and computer configuration is disabled or AD (5) sysvol(5) .
If the numbers for each category do not match between the AD and sysvol, this means you have error in your GPO that prevented its synchronization into the sysvol share.
If both seem to be synchronized between the AD and sysvol share,
Run group policy results wizard for a user in the test OU and see whether the policy you have created applies.
could you just run the dsquery to see whether you are actually getting an output of usernames which you are trying to feed into dsmod user??
The issue could be that your dsquery returns no users and dsmod then modifies no users.
dsmod does not seem to be working for me either if password never expires is set.
the -mustchpwd option does not seem to work while -pwd works.
try running dsmod as dsmod user -s <DC server ip> -mustchpwd yes
the -mustchpwd option does not seem to work while -pwd works.
try running dsmod as dsmod user -s <DC server ip> -mustchpwd yes
Also check the directory service event logs on your DC to see whether they are receiving a dsmod notification, but for some reason can not process it.
If so what you could do would be to run a scheduled task at whatever recurring interval you want using the script below.
dsquery user {Distinguished name of ou} -samid * -limit 0 | dsmod user -mustchpwd yes
What the script does is look into whichever OU you place in the curly brackets finds all the user accounts and then flips the pwd must change check box.