chiami
asked on
How to force user to change password on next logon without cuting them down from current sessions.
Hi!
I've setup a GPO with maximum password age policy to 60 days. Tied it to the domain.
Now, most of our accounts password is past that limit. So the problem I have, is as soon as I remove the check on "Password never expires", it breaks their access to the domain ressources(Like can't save their work).
There must be a way I can ask them to change their password without breaking their current status?
Thanks for your help!
I've setup a GPO with maximum password age policy to 60 days. Tied it to the domain.
Now, most of our accounts password is past that limit. So the problem I have, is as soon as I remove the check on "Password never expires", it breaks their access to the domain ressources(Like can't save their work).
There must be a way I can ask them to change their password without breaking their current status?
Thanks for your help!
they can change their password by pressing ctrl+alt+del without logging off
Valid values for the -acctexpires flag include a positive number of days in the future when the account should expire, to expire the account at the end of the day
dsmod user "<UserDN>" -acctexpires <NumDays>
Or try
' This code sets the account expiration date for a user.
' ------ SCRIPT CONFIGURATION ------
strExpireDate = "<Date>" ' e.g. "07/10/2004"
strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rall
' ------ END CONFIGURATION ---------
set objUser = GetObject("LDAP://" & strUserDN)
objUser.AccountExpirationD
objUser.SetInfo
WScript.Echo "Set user " & strUserDN & " to expire on " & strExpireDate
create a bat or cmd file on DC, let's say users_change.cmd and put there
@echo off
dsquery user -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no
and set up a task scheduler to run this batch file in your convenient time (let's say at 11 pm)
@echo off
dsquery user -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no
and set up a task scheduler to run this batch file in your convenient time (let's say at 11 pm)
ok, that's wrong idea :/ It also forces password change for system users and administrators. You have to specify OU where those users are.
i.e.
@echo off
dsquery user "ou=your_OU_with_Users1,dc =domain,dc =com" -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no
and each dsquery for each OU.
i.e.
@echo off
dsquery user "ou=your_OU_with_Users1,dc
and each dsquery for each OU.
"I've setup a GPO with maximum password age policy to 60 days"
temporarily change this to a higher number greater than the oldest password.
You can find the number out with this tip
http://www.windowsitpro.com/article/tips/jsi-tip-3988-network-account-password-age-netpwage-freeware-.aspx
temporarily change this to a higher number greater than the oldest password.
You can find the number out with this tip
http://www.windowsitpro.com/article/tips/jsi-tip-3988-network-account-password-age-netpwage-freeware-.aspx
What about "User must change password at next logon" option on the Account?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.