W2003 Server: check iuser status

Hi EE,

On a W2003 server there is an ftp user whose credentials are intensively used in automated ftp scripts. That input is in turn used to populate sharepoints.
We had an issue with the ftp user being flagged "must change password at next logon". Reason unclear, this may have been some corporate measure, but as there is no warning you only learn after you are notified that certain processes got stuck.

Question:
Is there a way (through scriipt) to have the status of users checked?

Thanks.
WatnogAsked:
Who is Participating?
 
Krzysztof PytkoConnect With a Mentor Senior Active Directory EngineerCommented:
ok, I read the last sentence now. If it is local user, ds... commands don't work.

Now you should use on that particular server

net user TWSftp

and review entries:
- Account is active (should be yes)
- Account expires (should be never)
- Password last set
- Password expires

and other you only wish

Additionally you can force enable account by

net user TWSftp /ACTIVE:YES
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
What kind of check would you like to do? If IUSR has status "Must change password at next logon" ?

dsquery user -name IUSR* | dsget user -samid -mustchpwd
0
 
WatnogAuthor Commented:
Any status that would prevent automate logon.
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

 
Krzysztof PytkoSenior Active Directory EngineerCommented:
ok, so this firts one allows you to check it someone wants to force password change on logon

this one checks if account is disabled

dsquery user -name IUSR* | dsget user -samid -disabled


set unlock account (if it is not locked nothing happens)

net user <IUSR_account> /DOMAIN /ACTIVE:YES

I think that's all which can prevent auto account logon
0
 
WatnogAuthor Commented:
Thanks.
It works if I use it as you write it, but if I change from IUSR* to that particular user TWSftp this is returned....

C:\TWS>dsquery user -name TWSftp   | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -name TWSftp   | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /BERD4AP12 /ACTIVE:YES
The option /BERD4AP12 is unknown.

The syntax of this command is:


NET USER
[username [password | *] [options]] [/DOMAIN]
         username {password | *} /ADD [options] [/DOMAIN]
         username [/DELETE] [/DOMAIN]

More help is available by typing NET HELPMSG 3506.


C:\TWS>PAUSE
Press any key to continue . . .


Thanks again for helping.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
ok probably you use login not name, so correct syntax

dsquery user -samid TWSftp   | dsget user -samid -mustchpwd

dsquery user -samid TWSftp   | dsget user -samid -disabled

net user TWSftp /DOMAIN /ACTIVE:YES
-> in this case you shouldn't replace DOMAIN word by your domain name :) it's reserved word for each configuration (sorry I didn't mention)
0
 
WatnogAuthor Commented:
This is my bat file:

@ECHO ON
dsquery user -samid TWSftp   | dsget user -samid -mustchpwd
dsquery user -samid TWSftp   | dsget user -samid -disabled
net user TWSftp /DOMAIN /ACTIVE:YES
PAUSE

And this is what comes out...
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -mustchpwd
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>dsquery user -samid TWSftp     | dsget user -samid -disabled
dsget failed:`Target object for this command' is missing.
type dsget /? for help.
C:\TWS>net user TWSftp /DOMAIN /ACTIVE:YES
The request will be processed at a domain controller for domain xx.xxxxxxxxxx.com
The user name could not be found.
More help is available by typing NET HELPMSG 2221.
C:\TWS>PAUSE
Press any key to continue . . .

I replaced the domain name by x's.

Sorry this doesn't work out, it might be that the corporate environment is in the way or so?
That TWSftp user is defined on that particular server only, so is not in AD.
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
ok, TWSftp user is probably local user, so it won't work, am I right?
0
 
WatnogAuthor Commented:
Thanks, so simple you got mislead. I'm a newbie on W2003 management.
Can the 'user must change password at next logon' flag also be undone by any chance?
0
 
Krzysztof PytkoSenior Active Directory EngineerCommented:
Ye, it has to be unchecked, because it causes that auto logon doesn't work. It waits until you press OK button and change the password. So, it definitively should be unchecked.
0
 
WatnogAuthor Commented:
Thanks again.
I finally settled with this vbs script that I make run every 6  hours, and does the job...

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000
strComputer = "servername"
strUser = "username"
Set objUser = GetObject("WinNT://" & strComputer & "/" & strUser & ",User")
objUserFlags = objUser.Get("UserFlags")
objPasswordExpirationFlag = objUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD
objUser.Put "userFlags", objPasswordExpirationFlag
objUser.AccountDisabled = False
objUser.SetInfo
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.