• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 4800
  • Last Modified:

Modifying local user accounts to uncheck "user must change password at next logon"

I used net user to create about 1100 local user accounts on one of my servers. (dont ask me why its a stupid legacy server that I took over and am working on phasing out) but anyways when I create the accounts and set the passwords all of the users came in with the user must change password at next login checked.

I would like to know if there is some script that I can use to clear this flag. I would also like to set the flag for password never expires as well.

I have searched online and it looks like net user doesnt have this ability. Any help is appreciated.
0
Joseph Daly
Asked:
Joseph Daly
  • 6
  • 5
  • 2
1 Solution
 
jakethecatukCommented:
If you selected all users in Active Directory Users and Computers, right click and go into properties, you can set the two password settings you want to change
0
 
Joseph DalyAuthor Commented:
I know how to do it for active directory. This question is relating to local user accounts on a server.

0
 
jakethecatukCommented:
This may help: - http://support.microsoft.com/kb/251394

/passwordchg:{yes | no}
Specifies whether users can change their own password. The default is yes.



All taken from: - http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24281571.html

Hope it helps you.

0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Joseph DalyAuthor Commented:
Yea I already gave that a shot and while it does toggle the user can or cant change password check mark it does not allow you to modify the "user must change pwd at next login" check mark.

From what I have read online net user doesnt have this capability so the script will need to be something either in VBS, powershell, or some other scripting language.
0
 
Chris DentPowerShell DeveloperCommented:

PowerShell can do this one moderately easily. It should go something like this.

PasswordExpired will either be 1 or 0, making it 0 will clear the flag you're looking for.

HTH

Chris
([ADSI]"WinNT://localhost").PsBase.Children | ?{ $_.Class -eq "user" } | %{
  If ($_.Get("PasswordExpired") -eq 1)
  {
    $_.Put("PasswordExpired", 0)
    $_.SetInfo()
  }
}

Open in new window

0
 
Joseph DalyAuthor Commented:
Im still kinda new to powershell you mind giving me a quick rundown of how this works. Just a little cautious running something I dont fully understand on a server.

Thanks
0
 
Chris DentPowerShell DeveloperCommented:

Sure, of course.

With comments :)

Chris
# Create a connection to the local system (localhost)
# Retrieve all child objects (users, groups, services) from the
# local system and filter to users only with Where-Object (?).
# Pipe into a ForEach-Object (%) loop.
([ADSI]"WinNT://localhost").PsBase.Children | ?{ $_.Class -eq "user" } | %{
  # Request the PasswordExpired attribute for the current user
  # If the current value is 1 the flag is set
  If ($_.Get("PasswordExpired") -eq 1)
  {
    # Unset the flag
    $_.Put("PasswordExpired", 0)
    # Apply the change
    $_.SetInfo()
  }
}

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:

Oh and you can test it on one user with this.

You do more with VbScript don't you? I've added the VbScript version in comments.

Chris
# Set objUser = GetObject("WinNT://localhost/SomeUser")
$User = [ADSI]"WinNT://localhost/SomeUser"
# If objUser.Get("PasswordExpired") = 1 Then
If ($User.Get("PasswordExpired") -eq 1)
{
  # objUser.Put "PasswordExpired", 0
  $User.Put("PasswordExpired", 0)
  # objUser.SetInfo
  $User.SetInfo()
# End If
}

Open in new window

0
 
Joseph DalyAuthor Commented:
You already got the points for the answer but let me see something here. Is there a way of also setting the password never expires flag using this script?

I originally thought it would be a simple matter of finding the attribute for pwdneverexpires but it doesnt look like there is one.

Is this possible through powershell?

And one a seperate note do you have a link to a webpage showing all the ADSI attributes?

Thanks

0
 
Chris DentPowerShell DeveloperCommented:

Yes, certainly.

And for all the attributes...

http://msdn.microsoft.com/en-us/library/aa746340%28VS.85%29.aspx

Many of those won't be set or accessible with WinNT, a lot are only present if you use this against an AD domain.

UserFlags is the WinNT equivalent of AD's UserAccountControl. This "should" work... rather untested.

Chris
# Set objUser = GetObject("WinNT://localhost/SomeUser")
$User = [ADSI]"WinNT://localhost/SomeUser"
# If objUser.Get("PasswordExpired") = 1 Then
If ($User.Get("PasswordExpired") -eq 1)
{
  # objUser.Put "PasswordExpired", 0
  $User.Put("PasswordExpired", 0)

  # Set Password Never Expires 0x10000 in Hex or 65536
  # objUser.Put "userFlags", (objUser.Get("userFlags") Or 65536)
  $User.Put("userFlags", $($User.Get("userFlags") -BOr 65536))

  # objUser.SetInfo
  $User.SetInfo()
# End If
}

Open in new window

0
 
Joseph DalyAuthor Commented:
I just tried running that on a test user but it still didnt set the password never expires flag. Oh well thats not too big of a deal anyways. I really appreciate the help and definitely will be checking out that linkk.

Thanks
0
 
Joseph DalyAuthor Commented:
Worked like a charm. Thanks
0
 
Chris DentPowerShell DeveloperCommented:

Sorry, bad planning on my part. This is a simpler version, it doesn't seem to like localhost so much, I'm using "." to bind to the local system instead.

It needs SetInfo after it removes the "must change password" flag, that and "password never expires" are mutually exclusive.

Chris
$User = [ADSI]"WinNT://./temp"
$User.Put("PasswordExpired", 0)
$User.SetInfo()
$User.Put("userFlags", $($User.Get("userFlags") -BOr 65536))
$User.SetInfo()

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 6
  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now