Solved

Force users to change their password at the OU level

Posted on 2010-09-02
9
1,014 Views
Last Modified: 2012-05-10
Experts,

I am in desperate need of a script to force a group of users in a specific OU to change their password. Also is there a way to do this real time instead of at next log in? I would love to be able to have the users save their work and go through a password change at a specific time of day.

As a note, I do not have any experience with VB.

Thank you in advance

DW
0
Comment
Question by:dwesolowicz
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33588751
When you say real time do you mean you want some sort of popup that forces them to do it right then? why would you want to disrupt your users like that ?    You could also  log them off I guess and then have their password set to change at next logon.
What I'd do is set all their accounts to "User must change password at next logon", you can do that using vbscript, adfind/admod, etc.  You can also just highlight all the users in that OU and right click select properties and set that option.
 
0
 
LVL 2

Assisted Solution

by:dehcbad25
dehcbad25 earned 250 total points
ID: 33588786
Do you want it as a Script to run often, or this is a one time deal?
If it is a 1 time, you could select all users and open properties, the place a check in "User must change password at next logon"
Then you could send an email asking them to restart the PC and change passwords.
As for the script, this seems more of something for PowerShell than VB script.
Otherwise you could make a GP that forces a shorted password change and apply it to the OU, but I don't know of a way to request the password without login in.
However, once a password has expired, for new connections it will require the password to be updated (this is for example, Exchange connections (Outlook), shared folders, web applications, etc).
Not sure how often you need to do this, or what would be the purpose, but I am guessing it is a 1 time deal, so it seems easier to request password change from Users and Computers, or set the field user.pwdLastSet to 0 using a powershell command

http://www.eggheadcafe.com/software/aspnet/34013670/re-forcing-password-change.aspx
0
 

Author Comment

by:dwesolowicz
ID: 33589454
Sorry for the delay and thanks for the reply.

To answer your questions, this is a one time deal. From both responses, I can see that in AD users and computers that you are able select a group of users and force a password change at next log in. This will work fine for what I am trying to do.

Are you aware of a log on/off script that could be used to achieve the same thing. I have no experience with VB.

Thanks again!
0
 
LVL 2

Expert Comment

by:dehcbad25
ID: 33589507
It would be possible using VB scrip since you would only need to change the pwdLastSet field
Here is a link
http://gallery.technet.microsoft.com/ScriptCenter/en-us/7e44bd45-f49f-4e47-ae00-b18f544e478f
For Windows Vista and up, you will have to use a PowerShell script
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:dwesolowicz
ID: 33589640
I just tried to select two users in an OU and selected "User must change password at next logon". I did this while logged in as one of the two users. I then logged off, and logged back on and was not prompted for the password change. I tried a reboot and then was prompted to change the password.

Does the PC have to be rebooted in order to be prompted to change the password?
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33589858
Try this one

run on server or workstation with Administrative Tools installed in command-line

dsquery user "ou=<OUname>,dc=your_fdqn>" -name * -limit 0 >c:\usersOU.txt

i.e OU=MyUsers in testenv.local environment

dsquery user "ou=MyUsers,dc=testenv,dc=local" -name * -limit 0 >c:\usersOU.txt

edit text file and remove unnecessary entries.

create bat or cmd file and save it in the same location with txt file

@echo off

for /f %%i in (usersOU.txt) do dsmod user %%i -mustchpwd yes -canchpwd yes -disabled no

and run it in date you plan to force them password change :) They will receive information that they have to change their password during log on time :) And it of cource affects only users from particular OU. Additionally if you don't want to rememebr when you need to run this batch, you can set up task scheduler on server for proper date to run once.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33589889
Did you make the change then immediately log off and log back on.  Were these users local or remote?   (may need to wait for replication depending on the setup)

That flag/setting is right.
0
 

Author Comment

by:dwesolowicz
ID: 33590031
did the change and immediately logged off and then back on. forced a GP update and that took care of the problem
0
 
LVL 2

Expert Comment

by:dehcbad25
ID: 33591237
the machine needs to contact the network to get the new password age, that is why loggin off and then back on would not prompt the password change. However, gpupdate does the connection.
Alternatively, if you try to log on 4 or 5 times with the wrong/blank password (until it takes a while to check the password), it will get the setting for the logon. Until then the PC would log on with cached credentials.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

This script will sweep a range of IP addresses (class c only, 255.255.255.0) and report to a log the version of office installed. What it does: 1.)      Creates log file in the directory the script is run from (if it doesn't already exist) 2.)      Sweep…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now