• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 702
  • Last Modified:

Force domain users to change their domain passwords every 6 months on specified dates

One of my clients needs a method or script that will force all their staff members in their office to change their network passwords every 6 months on specified dates, such as January 15th and June 15th.

They have a Windows Server 2003 Standard environment with about 30 users in Active Directory all on the same domain.  All desktops are Windows XP Pro if that matters, and all servers and desktops are currently updated with all the Microsoft Updates.

All external users use VPN and Remote Desktop to connect to actual desktops on the domain in their office.

They don't want me to change the administrator passwords and such, but they do want all staff members to be forced to change their network passwords on every January 15th and June 15th.

How can I do this?  And thanks in advance!
0
zuberlaw
Asked:
zuberlaw
  • 7
  • 6
  • 6
2 Solutions
 
Joseph DalyCommented:
Are all the users in the same ou?

If so what you could do would be to run a scheduled task at whatever recurring interval you want using the script below.

dsquery user {Distinguished name of ou} -samid * -limit 0 | dsmod user -mustchpwd yes

What the script does is look into whichever OU you place in the curly brackets finds all the user accounts and then flips the pwd must change check box.

0
 
zuberlawAuthor Commented:
All users are in Active Directory under the same subfolder called "Users".

Here is the folder structure in Active Directory:

-- Active directory Users and Computers (Root)
       --company.domain.com (subfolder)
          --Company Name  (subfolder)
             --Users (subfolder)

There is also another folder called "Users" on the same folder level as the "Company Name" folder listed above, but the user accounts are in the Users folder under the "Company Name" subfolder at the bottom of the tree above.
0
 
Joseph DalyCommented:
Ok so thats easy enough, all you need to do is get the distinguished name of that OU.

If you dont know how to get the DN of that ou you can download ADexplorer and use it to browse to your OU and get the distingusihed name.
http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx

Before running this script just make sure that none of your admin accounts are in that users folder. And that the account your running the scheduled task with isnt one that is going to have a password change.


0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
zuberlawAuthor Commented:
Thanks, so if I want the script to run every 6 months can you show me what the exact script looks like?

I installed ADExplorer, right clicked the Users folders conatining the user accounts and went to copy name.  here is the name it gave me:
OU=_Users,OU=ZT,DC=abbgroup,DC=abbllp,DC=com

Thanks.
0
 
Joseph DalyCommented:
That dn looks about right. Is there an underscore supposed to be there? I'm thinkin yes but it just looks a little funny.

So what you would do is test that script first on a new ou with only 1 or 2 accounts in it. I never put anything into full scale until I'm sure it works.

Once you have confired the script works take your command and copy and paste into a txt file. Save the file and rename as a bat file.

Once you have the bat file you can use the windows task scheduler in control panel to create a recurring task

When you make the task make sure you set it to run as an account with rights to your ad environment.

That should be it. Again please test this and ask any questions before going full scale on all users
0
 
arnoldCommented:
While the above would address the requirement of having the expiration/password change on specific dates, I think a requirement to change password without notice could lead to issues.

An alternate approach is to setup a password expiry plicy on the Domain.  Admin accounts and service accounts, should have the password never expires selection checked.
With this setup, you give the user notice and time that their password is about to expire and it is up to them to set a new one until the notice period expires at which point they will be forced to enter a new password or they will not be allowed to logon.

The other issue I have with a forced change for all users on a specific date, is that a significant portion will likely forget to what they changed their password and will have issues the next day.
0
 
Joseph DalyCommented:
I agree with everything you said arnold. And that is exactly how I have my users/environment set up. The steps I gave above were only to fulfill the requirements of the questions asked. I dont think its the best way but it will do what was needed.
0
 
zuberlawAuthor Commented:
Thanks all of you, I really appreciate the help.  So ARNOLD/XXDCMAST, with setting up a password expiry policy on the Domain... where do I go to do this?
0
 
Joseph DalyCommented:
You need to enable this in the default domain policy. I have attached a screenshot of my settings from GPMC.

If you were to do the expiry policy what you could do is get that all set up and running. And then run my script once so that the users will have to all change their passwords on the same day.
1.jpg
0
 
zuberlawAuthor Commented:
Ok, I set their GP Account/Password policies to match yours, except that their maximum password age is 183 days, instead of the 90 you have.

The only thing I am not 100% sure on now is what the script should look like.  I have confirmed in ADEXplorer that the Users folder containing the user accounts has the name of below (maybe I copied it wrong last time):

OU=_Users,OU=ZT,DC=abbgroup,DC=abbllp,DC=com,absvr01 [ABSVR01.abgroup.abllp.com]

Thanks so much!
0
 
Joseph DalyCommented:
That looks correct as far as I can tell minus the parts in the brackets.

OU=_Users,OU=ZT,DC=abbgroup,DC=abbllp,DC=com

A good way of checking is to start at the furthest rightmost part of it and walk down your AD tree until you get to your _users ou. Everythign should match up.
0
 
zuberlawAuthor Commented:
Well, I tried putting the bat file on the server and having it run at a set time using Scheduled tasks, but nothing happens after it runs, and it does say the bat file ran.

Here's what i did without getting it to work... where did I go wrong?

1)  I put the following in a bat file:

dsquery user {OU=test,DC=abgroup,DC=abllp,DC=com,absvr01} -samid * -limit 0 | dsmod user -mustchpwd yes

test is the name of the user folder I created with a couple accoungs in it.

2)  In the Scheduled Tasks I set the time to run the bat file and it says it ran.

3)  The users in the "test" group login, but are not asked to do anything.  This is after the bat file ran and they restarted their desktops?

Any help would be appreciated?

0
 
arnoldCommented:
Could you check using the ADUCwhat other settings on the account are set i.e. does it also have password never expires and/or user can not change password? I.e. are you capturing/recording any errors being returned?
Could you see what is being returned from:
dsquery user {OU=test,DC=abgroup,DC=abllp,DC=com,absvr01} -samid * -limit 0
0
 
zuberlawAuthor Commented:
Here is a shot of the settings I see.  What pwd settings should be set in the OU?  Should the passwords never expire be checked/unchecked, etc.?

Thanks!
ADinfo.jpg
0
 
arnoldCommented:
Could you check the properties of a user in the test OU and see whether their settings are password never expires and user can not change password?
I think if those two are checked, you might not be permitted to set the must change password option without first clearing at least the user can not change password option.
0
 
zuberlawAuthor Commented:
Thanks.  I checked their settings and they have nothing checked at all.
0
 
arnoldCommented:

use GPMC:
Check whether the GPO you created is in sync AD/sysvol numbers for computer configuration and user configuration should match:
i.e. User configuration AD (2) sysvol(1) and computer configuration is disabled or AD (5) sysvol(5) .
If the numbers for each category do not match between the AD and sysvol, this means you have error in your GPO that prevented its synchronization into the sysvol share.

If both seem to be synchronized between the AD and sysvol share,
Run group policy results wizard for a user in the test OU and see whether the policy you have created applies.

could you just run the dsquery to see whether you are actually getting an output of usernames which you are trying to feed into dsmod user??
The issue could be that your dsquery returns no users and dsmod then modifies no users.
0
 
arnoldCommented:
dsmod does not seem to be working for me either if password never expires is set.
the -mustchpwd option does not seem to work while -pwd works.

try running dsmod as dsmod user -s <DC server ip> -mustchpwd yes
0
 
arnoldCommented:
Also check the directory service event logs on your DC to see whether they are receiving a dsmod notification, but for some reason can not process it.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 7
  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now