We help IT Professionals succeed at work.

How to force user to change password on next logon without cuting them down from current sessions.

chiami
chiami asked
on
820 Views
Last Modified: 2012-05-10
Hi!

I've setup a GPO with maximum password age policy to 60 days.  Tied it to the domain.

Now, most of our accounts password is past that limit.  So the problem I have, is as soon as I remove the check on "Password never expires", it breaks their access to the domain ressources(Like can't save their work).

There must be a way I can ask them to change their password without breaking their current status?

Thanks for your help!

Comment
Watch Question

Justin YeungSenior Systems Engineer
CERTIFIED EXPERT

Commented:
they can change their password by pressing ctrl+alt+del without logging off
CERTIFIED EXPERT

Commented:

Valid values for the -acctexpires flag include a positive number of days in the future when the account should expire, to expire the account at the end of the day
dsmod user "<UserDN>" -acctexpires <NumDays>
Or try
' This code sets the account expiration date for a user.
' ------ SCRIPT CONFIGURATION ------
strExpireDate = "<Date>"   ' e.g. "07/10/2004"
strUserDN = "<UserDN>"     ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

set objUser = GetObject("LDAP://" & strUserDN)
objUser.AccountExpirationDate = strExpireDate
objUser.SetInfo
WScript.Echo "Set user " & strUserDN & " to expire on " & strExpireDate
 
Krzysztof PytkoSenior Active Directory Engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
create a bat or cmd file on DC, let's say users_change.cmd and put there

@echo off

dsquery user -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no

and set up a task scheduler to run this batch file in your convenient time (let's say at 11 pm)
Krzysztof PytkoSenior Active Directory Engineer
CERTIFIED EXPERT
Top Expert 2012

Commented:
ok, that's wrong idea :/ It also forces password change for system users and administrators. You have to specify OU where those users are.

i.e.

@echo off

dsquery user "ou=your_OU_with_Users1,dc=domain,dc=com" -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no

and each dsquery for each OU.
DonNetwork Administrator
CERTIFIED EXPERT

Commented:
"I've setup a GPO with maximum password age policy to 60 days"
 
temporarily change this to a higher number greater than the oldest password.
 
You can find the number out with this tip
 
http://www.windowsitpro.com/article/tips/jsi-tip-3988-network-account-password-age-netpwage-freeware-.aspx 
Sigurdur HaraldssonSystem Administrator

Commented:
What about "User must change password at next logon" option on the Account?
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.