Configuring a Password Change at Next Logon Requirement

Previous page
Table of content
Next page

Microsoft® Windows® 2000 Scripting Guide

microsoft windows 2000 scripting guide

« Previous | Next »   

For security, you might want users to change their passwords at next logon. You can accomplish this task by enabling the User must change password at next logon option. Selecting this option is important to ensure that users change their passwords to something that only they know.

The pwdLastSet attribute controls the value of the ADS_UF_PASSWORD_EXPIRED flag in the userAccountControl attribute. When set to 0, the pwdLastSet attribute enables the ADS_UF_PASSWORD_EXPIRED flag. When this flag is enabled, the current password is expired and the User must change password at next logon option is enabled.

Active Directory automatically enables this flag (expires the password) when a new user account is created but not when the SetPassword method is used to set a user s password. Therefore, if you run an ADSI script that uses the SetPassword method, you should also enable the User must change password at next logon option from the script.

Scripting Steps

Enabling and disabling the User must change password at next logon option are done in opposite fashion.

Enabling the User must change password at next logon option

Listing 7.7 contains a script that enables the User must change password at next logon option. To carry out this task, the script performs the following steps:

  1. Bind to the user account object by using the GetObject function and the LDAP provider.
  2. Set the pwdLastSet attribute to 0 to enable the User must change password at next logon option.
  3. Commit the change to the user account object in the local property cache to Active Directory.

Listing 7.7   Enabling the User must change password at next logon Option

1 2 3 4 
Set objUser = GetObject _     ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "pwdLastSet", 0 objUser.SetInfo

Disabling the User must change password at next logon option

To disable this option, simply change the 0 in line 3 of Listing 7.7 to 1, as shown in Listing 7.8.

Listing 7.8   Disabling the User must change password at next logon Option 

1 2 3 4 
Set objUser = GetObject _     ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com") objUser.Put "pwdLastSet", -1 objUser.SetInfo
send us your feedback Send us your feedback « Previous | Next »   

Previous page
Table of content
Next page
Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
Microsoft Windows 2000 Scripting Guide(c) Automating System Administration 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 635
BUY ON AMAZON
CISSP Exam Cram 2
FileMaker Pro 8: The Missing Manual
Cisco IOS Cookbook (Cookbooks (OReilly))
MySQL Cookbook
Programming .Net Windows Applications
Digital Character Animation 3 (No. 3)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy