force user to change password on next logon

We have single domain Windows Server 2003 AD environment. I need force user to change password on next logon in single OU. I have a script that works with OU at the top of the hierarchy but not with nested
OU's. See the script below:

' PwdLastSet .vbs
' VBScript to force a user to change password at next logon
' --------------------------------------------------------------'

Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'

strContainer = "OU=XXXX Rica,OU=XXXX, "
strContainer = strContainer & strDNSDomain

intCounter = 0

' Here we force a change of password at next logon
intPwdValue = 0

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit

' End of Sample PwdLastSet VBScript

You can use a recursive subroutine to handle nested OU's. For example (not
tested):
============
Option Explicit
Dim strOU, objOU, intCounter

' Specify the parent (top level) OU.
strOU = "ou=West,dc=MyDomain,dc=com"

' Bind to the parent OU.
Set objOU = GetObject("LDAP://" & strParent)

' Variable intCounter has global scope.
intCounter = 0
Call EnumOU(objOU)

Wscript.Echo "Accounts changed: " & CStr(intCounter)

Sub EnumOU(ByVal objParent)
' Recursive subroutine to process all users in an OU
' and all sub OU's.

Dim objUser, objChild

' Enumerate all users in the OU.
objParent.Filter = Array("user")
For Each objUser In objParent
' Skip computer objects.
If (objUser.Class = "user") Then
objUser.Put "pwdLastSet", 0
objUser.SetInfo
intCounter = intCounter + 1
End If
Next

' Enumerate all child OU's.
objParent.Filter = Array("organizationalUnit")
For Each objChild In objParent
Call EnumOU(objChild)
Next
End Sub

Thanks Richard, I got Logic of Recursive call and it is workign afer defining few unspecified dims.

[sgilmour]

Hi,
Three questions about this script.
1. From the Active directory User account will this script check the checkbox for a specific User to force the user to check the checkbox User must change password on next login in windows 2008 Server R2?
2. How can I setup the script so I can force it to check the checkbox every 15 or 20 seconds? May not be needed if step 3 works
3. If I am running a tclsh script from my Ubuntu PC is there a way I can somehow add code so it will run this script from my server?

[EINSTEIN_007]

Quote:

Originally Posted by sgilmour

Hi,
Three questions about this script.
1. From the Active directory User account will this script check the checkbox for a specific User to force the user to check the checkbox User must change password on next login in windows 2008 Server R2?
2. How can I setup the script so I can force it to check the checkbox every 15 or 20 seconds? May not be needed if step 3 works
3. If I am running a tclsh script from my Ubuntu PC is there a way I can somehow add code so it will run this script from my server?

You can try to consider using this script if you have a large number of users.

"Configuring a Password Change at Next Logon Requirement"
http://technet.microsoft.com/hi-in/l...97(en-us).aspx

[sgilmour]

Thanks for the reply I will try to edit it to use for one specific user.