Modifying local user accounts to uncheck "user must change password at next logon"

I used net user to create about 1100 local user accounts on one of my servers. (dont ask me why its a stupid legacy server that I took over and am working on phasing out) but anyways when I create the accounts and set the passwords all of the users came in with the user must change password at next login checked.

I would like to know if there is some script that I can use to clear this flag. I would also like to set the flag for password never expires as well.

I have searched online and it looks like net user doesnt have this ability. Any help is appreciated.
LVL 35
Joseph DalyAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jakethecatukCommented:
If you selected all users in Active Directory Users and Computers, right click and go into properties, you can set the two password settings you want to change
0
Joseph DalyAuthor Commented:
I know how to do it for active directory. This question is relating to local user accounts on a server.

0
jakethecatukCommented:
This may help: - http://support.microsoft.com/kb/251394

/passwordchg:{yes | no}
Specifies whether users can change their own password. The default is yes.



All taken from: - http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_24281571.html

Hope it helps you.

0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Joseph DalyAuthor Commented:
Yea I already gave that a shot and while it does toggle the user can or cant change password check mark it does not allow you to modify the "user must change pwd at next login" check mark.

From what I have read online net user doesnt have this capability so the script will need to be something either in VBS, powershell, or some other scripting language.
0
Chris DentPowerShell DeveloperCommented:

PowerShell can do this one moderately easily. It should go something like this.

PasswordExpired will either be 1 or 0, making it 0 will clear the flag you're looking for.

HTH

Chris
([ADSI]"WinNT://localhost").PsBase.Children | ?{ $_.Class -eq "user" } | %{
  If ($_.Get("PasswordExpired") -eq 1)
  {
    $_.Put("PasswordExpired", 0)
    $_.SetInfo()
  }
}

Open in new window

0
Joseph DalyAuthor Commented:
Im still kinda new to powershell you mind giving me a quick rundown of how this works. Just a little cautious running something I dont fully understand on a server.

Thanks
0
Chris DentPowerShell DeveloperCommented:

Sure, of course.

With comments :)

Chris
# Create a connection to the local system (localhost)
# Retrieve all child objects (users, groups, services) from the
# local system and filter to users only with Where-Object (?).
# Pipe into a ForEach-Object (%) loop.
([ADSI]"WinNT://localhost").PsBase.Children | ?{ $_.Class -eq "user" } | %{
  # Request the PasswordExpired attribute for the current user
  # If the current value is 1 the flag is set
  If ($_.Get("PasswordExpired") -eq 1)
  {
    # Unset the flag
    $_.Put("PasswordExpired", 0)
    # Apply the change
    $_.SetInfo()
  }
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Chris DentPowerShell DeveloperCommented:

Oh and you can test it on one user with this.

You do more with VbScript don't you? I've added the VbScript version in comments.

Chris
# Set objUser = GetObject("WinNT://localhost/SomeUser")
$User = [ADSI]"WinNT://localhost/SomeUser"
# If objUser.Get("PasswordExpired") = 1 Then
If ($User.Get("PasswordExpired") -eq 1)
{
  # objUser.Put "PasswordExpired", 0
  $User.Put("PasswordExpired", 0)
  # objUser.SetInfo
  $User.SetInfo()
# End If
}

Open in new window

0
Joseph DalyAuthor Commented:
You already got the points for the answer but let me see something here. Is there a way of also setting the password never expires flag using this script?

I originally thought it would be a simple matter of finding the attribute for pwdneverexpires but it doesnt look like there is one.

Is this possible through powershell?

And one a seperate note do you have a link to a webpage showing all the ADSI attributes?

Thanks

0
Chris DentPowerShell DeveloperCommented:

Yes, certainly.

And for all the attributes...

http://msdn.microsoft.com/en-us/library/aa746340%28VS.85%29.aspx

Many of those won't be set or accessible with WinNT, a lot are only present if you use this against an AD domain.

UserFlags is the WinNT equivalent of AD's UserAccountControl. This "should" work... rather untested.

Chris
# Set objUser = GetObject("WinNT://localhost/SomeUser")
$User = [ADSI]"WinNT://localhost/SomeUser"
# If objUser.Get("PasswordExpired") = 1 Then
If ($User.Get("PasswordExpired") -eq 1)
{
  # objUser.Put "PasswordExpired", 0
  $User.Put("PasswordExpired", 0)

  # Set Password Never Expires 0x10000 in Hex or 65536
  # objUser.Put "userFlags", (objUser.Get("userFlags") Or 65536)
  $User.Put("userFlags", $($User.Get("userFlags") -BOr 65536))

  # objUser.SetInfo
  $User.SetInfo()
# End If
}

Open in new window

0
Joseph DalyAuthor Commented:
I just tried running that on a test user but it still didnt set the password never expires flag. Oh well thats not too big of a deal anyways. I really appreciate the help and definitely will be checking out that linkk.

Thanks
0
Joseph DalyAuthor Commented:
Worked like a charm. Thanks
0
Chris DentPowerShell DeveloperCommented:

Sorry, bad planning on my part. This is a simpler version, it doesn't seem to like localhost so much, I'm using "." to bind to the local system instead.

It needs SetInfo after it removes the "must change password" flag, that and "password never expires" are mutually exclusive.

Chris
$User = [ADSI]"WinNT://./temp"
$User.Put("PasswordExpired", 0)
$User.SetInfo()
$User.Put("userFlags", $($User.Get("userFlags") -BOr 65536))
$User.SetInfo()

Open in new window

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Batch

From novice to tech pro — start learning today.