Microsoft® Windows® 2000 Scripting Guide
« Previous | Next »
For security, you might want users to change their passwords at next logon. You can accomplish this task by enabling the User must change password at next logon option. Selecting this option is important to ensure that users change their passwords to something that only they know.
The pwdLastSet attribute controls the value of the ADS_UF_PASSWORD_EXPIRED flag in the userAccountControl attribute. When set to 0, the pwdLastSet attribute enables the ADS_UF_PASSWORD_EXPIRED flag. When this flag is enabled, the current password is expired and the User must change password at next logon option is enabled.
Active Directory automatically enables this flag (expires the password) when a new user account is created but not when the SetPassword method is used to set a user s password. Therefore, if you run an ADSI script that uses the SetPassword method, you should also enable the User must change password at next logon option from the script.
Enabling and disabling the User must change password at next logon option are done in opposite fashion.
Listing 7.7 contains a script that enables the User must change password at next logon option. To carry out this task, the script performs the following steps:
Listing 7.7 Enabling the User must change password at next logon Option
|
|
To disable this option, simply change the 0 in line 3 of Listing 7.7 to 1, as shown in Listing 7.8.
Listing 7.8 Disabling the User must change password at next logon Option
|
|
Send us your feedback | « Previous | Next » |