J C
asked on
Need script to make changes to active directory accounts
I'm looking for a script that I can apply to a Top-level OU and it's many sub OU's and users.
I need to a script that will force all of our users to change their password the next time they logon.
I don't know if there is a way but I want to make sure all user's are not prompted again to reset their password until their alloted time configured in our policy is up. For example, I am unsure if AD remembers how many days their had before they needed to change their password when the "Password never expires" option was ticked for their account. Just want it to be a clean slate for everyone.
I need to a script that will force all of our users to change their password the next time they logon.
I don't know if there is a way but I want to make sure all user's are not prompted again to reset their password until their alloted time configured in our policy is up. For example, I am unsure if AD remembers how many days their had before they needed to change their password when the "Password never expires" option was ticked for their account. Just want it to be a clean slate for everyone.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
As an additional note, the Password Last Reset attribute in Active Directory, which is used to calculate the time that the password must be reset next, is reset to the date that you disable the "Password Never Expires" option on an account when you do that. So setting users to require a password reset and then disabling Password Never Expires will set the password reset date to when you disable the Never Expire option.
ASKER
What if I don't want to reset their password? I only want to force them to change it when they come in on that following Monday.
ASKER
@ next logon
Forcing change at next logon will write the date and time that they actually change their password to AD and the password will expire X days after that initial change.
ASKER
Cool, thank you for that information.
At this point I am trying to find out how I can modify the script so that it doesn't reset the password, I just need to write the change that all users must change their password at next logon. And in the script how to specify a specific OU and it's sub ou's.
At this point I am trying to find out how I can modify the script so that it doesn't reset the password, I just need to write the change that all users must change their password at next logon. And in the script how to specify a specific OU and it's sub ou's.
You don't really even need to script it. If you select all the users in ADUC, right click, then click properties, you can set them all to change password at next logon at the same time.
ASKER
Is it as simple as removing this:
objUser.SetPassword "welcome99"
?
objUser.SetPassword "welcome99"
?
ASKER
A script is handy in our case because we have close to 100 OU's and to have to go to each OU, select all and make the change would be more time consuming then we'd like. If you know of a way to pull all of those users into a single list and apply the change that way that would be awesome?
Jleecole: Does the script I posted not do what you are looking for?
If you have the quest powershell cmdlets, you can do it with this:
get-qaduser -searchroot <ou> -searchscope subtree | set-qaduser -usermustchangepassword:$t rue
get-qaduser -searchroot <ou> -searchscope subtree | set-qaduser -usermustchangepassword:$t
ASKER
I don't, that would be nice if I did!
Thats the same script i posted in response to his original question minus removing the password never expires portion.
If you need the cmdlets they can be downloaded free from here
http://www.quest.com/powershell/activeroles-server.aspx
These can be added on any machine that has admin access to AD.
http://www.quest.com/powershell/activeroles-server.aspx
These can be added on any machine that has admin access to AD.
ASKER
So this command as you see it should apply the change to all users in the OU and all of it's sub OU's?
get-qaduser -searchroot <Staff_Directory> -searchscope subtree | set-qaduser -usermustchangepassword:$t rue
Assuming my top level OU is Staff_directory?
get-qaduser -searchroot <Staff_Directory> -searchscope subtree | set-qaduser -usermustchangepassword:$t
Assuming my top level OU is Staff_directory?
Yes but your top level OU wouldnt be listed like that. You would need the distinguished name. Something like
OU=Sales,DC=Fabrikam,DC=CO M
If you dont know that you can use ADexplorer to get the correct DN.
http://technet.microsoft.com/en-us/sysinternals/bb963907
OU=Sales,DC=Fabrikam,DC=CO
If you dont know that you can use ADexplorer to get the correct DN.
http://technet.microsoft.com/en-us/sysinternals/bb963907
+1 vote for using QAD.
I would use ADSIEDIT.msc to get the distinguishedName of the OU you want to run it against.
I would use ADSIEDIT.msc to get the distinguishedName of the OU you want to run it against.
ADSIedit is usually my go to as well. But the adexplorer has a little bit easier user interface for people unfamiliar with ADSIedit.
ASKER
I do know how to grab the DN, no problem there. Does the OU need to be wrapped in <> ? My guess is no.
No but it may need to be in " "
ASKER
Ill give this a shot, thanks.
ASKER
Can you tell me what command would be used to also untick the password never expires option? I need to run that before I set the password must be changed at next logon.
ASKER
This is so much easier than the approach I was going to take. I tested it and it works as expected. Thank you very much!
1st script gets a list of all users in AD.
second chages the password to what ever you sepcify.
Change-Password.vbs
List-All-Users.vbs