Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

How to force user to change password on next logon without cuting them down from current sessions.

Posted on 2010-09-15
7
Medium Priority
?
781 Views
Last Modified: 2012-05-10
Hi!

I've setup a GPO with maximum password age policy to 60 days.  Tied it to the domain.

Now, most of our accounts password is past that limit.  So the problem I have, is as soon as I remove the check on "Password never expires", it breaks their access to the domain ressources(Like can't save their work).

There must be a way I can ask them to change their password without breaking their current status?

Thanks for your help!

0
Comment
Question by:chiami
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 14

Expert Comment

by:Justin Yeung
ID: 33684031
they can change their password by pressing ctrl+alt+del without logging off
0
 
LVL 5

Expert Comment

by:MisterTwelve
ID: 33684495

Valid values for the -acctexpires flag include a positive number of days in the future when the account should expire, to expire the account at the end of the day
dsmod user "<UserDN>" -acctexpires <NumDays>
Or try
' This code sets the account expiration date for a user.
' ------ SCRIPT CONFIGURATION ------
strExpireDate = "<Date>"   ' e.g. "07/10/2004"
strUserDN = "<UserDN>"     ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

set objUser = GetObject("LDAP://" & strUserDN)
objUser.AccountExpirationDate = strExpireDate
objUser.SetInfo
WScript.Echo "Set user " & strUserDN & " to expire on " & strExpireDate
 
0
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33684838
create a bat or cmd file on DC, let's say users_change.cmd and put there

@echo off

dsquery user -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no

and set up a task scheduler to run this batch file in your convenient time (let's say at 11 pm)
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33684860
ok, that's wrong idea :/ It also forces password change for system users and administrators. You have to specify OU where those users are.

i.e.

@echo off

dsquery user "ou=your_OU_with_Users1,dc=domain,dc=com" -name * -limit 0| dsmod user -mustchpwd yes -canchpwd yes -pwdneverexpires no -disabled no

and each dsquery for each OU.
0
 
LVL 47

Expert Comment

by:Donald Stewart
ID: 33685544
"I've setup a GPO with maximum password age policy to 60 days"
 
temporarily change this to a higher number greater than the oldest password.
 
You can find the number out with this tip
 
http://www.windowsitpro.com/article/tips/jsi-tip-3988-network-account-password-age-netpwage-freeware-.aspx 
0
 
LVL 11

Expert Comment

by:sighar
ID: 33689905
What about "User must change password at next logon" option on the Account?
0
 

Accepted Solution

by:
chiami earned 0 total points
ID: 33736847
None of the comments fixed it, but some helped...

Thanks
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question