Solved

How to force user to change password on next logon without cuting them down from current sessions.

Posted on 2010-09-15
7
726 Views
Last Modified: 2012-05-10
Hi!

I've setup a GPO with maximum password age policy to 60 days.  Tied it to the domain.

Now, most of our accounts password is past that limit.  So the problem I have, is as soon as I remove the check on "Password never expires", it breaks their access to the domain ressources(Like can't save their work).

There must be a way I can ask them to change their password without breaking their current status?

Thanks for your help!

0
Comment
Question by:chiami
7 Comments
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 33684031
they can change their password by pressing ctrl+alt+del without logging off
0
 
LVL 5

Expert Comment

by:MisterTwelve
ID: 33684495

Valid values for the -acctexpires flag include a positive number of days in the future when the account should expire, to expire the account at the end of the day
dsmod user "<UserDN>" -acctexpires <NumDays>
Or try
' This code sets the account expiration date for a user.
' ------ SCRIPT CONFIGURATION ------
strExpireDate = "<Date>"   ' e.g. "07/10/2004"
strUserDN = "<UserDN>"     ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

set objUser = GetObject("LDAP://" & strUserDN)
objUser.AccountExpirationDate = strExpireDate
objUser.SetInfo
WScript.Echo "Set user " & strUserDN & " to expire on " & strExpireDate
 
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33684838
create a bat or cmd file on DC, let's say users_change.cmd and put there

@echo off

dsquery user -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no

and set up a task scheduler to run this batch file in your convenient time (let's say at 11 pm)
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33684860
ok, that's wrong idea :/ It also forces password change for system users and administrators. You have to specify OU where those users are.

i.e.

@echo off

dsquery user "ou=your_OU_with_Users1,dc=domain,dc=com" -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no

and each dsquery for each OU.
0
 
LVL 47

Expert Comment

by:dstewartjr
ID: 33685544
"I've setup a GPO with maximum password age policy to 60 days"
 
temporarily change this to a higher number greater than the oldest password.
 
You can find the number out with this tip
 
http://www.windowsitpro.com/article/tips/jsi-tip-3988-network-account-password-age-netpwage-freeware-.aspx
0
 
LVL 11

Expert Comment

by:sighar
ID: 33689905
What about "User must change password at next logon" option on the Account?
0
 

Accepted Solution

by:
chiami earned 0 total points
ID: 33736847
None of the comments fixed it, but some helped...

Thanks
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
ADMT Intra Forest migration questions 7 74
LAPS - Local Administrator Password Solution 4 38
lync 2013 7 33
ACTIVE DIRECTORY 12 33
There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now