Results 1 to 9 of 9

Thread: Is it possible to reset "pwdLastSet" attribute to certain date?

  1. #1
    Mugen Guest

    Is it possible to reset "pwdLastSet" attribute to certain date?

    Hi,

    I am trying to enforce password policy for a Domain. (Enforce Password
    expire very 90 days and minimum 6 characters etc) I am running Windows 2003
    AD. But here is the problem, most of the existing users password are more
    than 90 days old which mean their accounts will expire right away as soon as
    I enable password policy becasue AD will look at the time stamp of pwdLastSet
    attribute.

    My question if it is possible to reset the pwdLastSet attribute value to
    certain date. I searched around and found there are two value to set ( 0 and
    -1). 0 will make users to change password at next logon but I do not want to
    do that. I would hope I can reset to today date or pre-define date.

    Another question is what happen to service account that keep running on
    background every minute (But they never login from the console). Are those
    account expire immediately while running from the background or not affect
    until a user login at the console?


    Thanks.

    Mugen


  2. #2
    kj [SBS MVP] Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date?

    0 means expired, -1 says the password was just set and the 'count down to
    policy (90 days) starts a new.

    You can keep doing the -1 until you get the inital user 'expiration stagger'
    you want, but I wouldn't suggest pushing these out very long at all. A few
    days to a few weeks ( if you have alot of users).


    Mugen wrote:
    > Hi,
    >
    > I am trying to enforce password policy for a Domain. (Enforce Password
    > expire very 90 days and minimum 6 characters etc) I am running
    > Windows 2003 AD. But here is the problem, most of the existing users
    > password are more than 90 days old which mean their accounts will
    > expire right away as soon as I enable password policy becasue AD will
    > look at the time stamp of pwdLastSet attribute.
    >
    > My question if it is possible to reset the pwdLastSet attribute value
    > to certain date. I searched around and found there are two value to
    > set ( 0 and -1). 0 will make users to change password at next logon
    > but I do not want to do that. I would hope I can reset to today date
    > or pre-define date.
    >
    > Another question is what happen to service account that keep running
    > on background every minute (But they never login from the console).
    > Are those account expire immediately while running from the
    > background or not affect until a user login at the console?
    >
    >
    > Thanks.
    >
    > Mugen


    --
    /kj



  3. #3
    Richard Mueller [MVP] Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date?


    "Mugen" <Mugen@discussions.microsoft.com> wrote in message
    news:58A47758-E8C8-48D7-BC5A-69EB9D9CD218@microsoft.com...
    > Hi,
    >
    > I am trying to enforce password policy for a Domain. (Enforce Password
    > expire very 90 days and minimum 6 characters etc) I am running Windows
    > 2003
    > AD. But here is the problem, most of the existing users password are more
    > than 90 days old which mean their accounts will expire right away as soon
    > as
    > I enable password policy becasue AD will look at the time stamp of
    > pwdLastSet
    > attribute.
    >
    > My question if it is possible to reset the pwdLastSet attribute value to
    > certain date. I searched around and found there are two value to set ( 0
    > and
    > -1). 0 will make users to change password at next logon but I do not want
    > to
    > do that. I would hope I can reset to today date or pre-define date.
    >
    > Another question is what happen to service account that keep running on
    > background every minute (But they never login from the console). Are those
    > account expire immediately while running from the background or not affect
    > until a user login at the console?
    >
    >
    > Thanks.
    >
    > Mugen
    >


    A service account, like any other, is affected when it authenticates (unless
    the account has password never expires set). This will happen when the
    service starts.

    As noted, you cannot assign a value corresponding to a date to the
    pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge value,
    so all users with passwords older than say 120 days expire, then gradually
    reduce the value until 90 days is enforced. Or create several text files
    with user DN's and assign 0 to the pwdLastSet attribute only for users in
    one of the files at a time. Perhaps one group per week. After all have been
    forced to change their password, set maxPwdAge to 90 days.

    --
    Richard Mueller
    MVP Directory Services
    Hilltop Lab - http://www.rlmueller.net
    --



  4. #4
    kj [SBS MVP] Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date?

    Richard Mueller [MVP] wrote:
    > "Mugen" <Mugen@discussions.microsoft.com> wrote in message
    > news:58A47758-E8C8-48D7-BC5A-69EB9D9CD218@microsoft.com...
    >> Hi,
    >>
    >> I am trying to enforce password policy for a Domain. (Enforce
    >> Password expire very 90 days and minimum 6 characters etc) I am
    >> running Windows 2003
    >> AD. But here is the problem, most of the existing users password are
    >> more than 90 days old which mean their accounts will expire right
    >> away as soon as
    >> I enable password policy becasue AD will look at the time stamp of
    >> pwdLastSet
    >> attribute.
    >>
    >> My question if it is possible to reset the pwdLastSet attribute
    >> value to certain date. I searched around and found there are two
    >> value to set ( 0 and
    >> -1). 0 will make users to change password at next logon but I do not
    >> want to
    >> do that. I would hope I can reset to today date or pre-define date.
    >>
    >> Another question is what happen to service account that keep running
    >> on background every minute (But they never login from the console).
    >> Are those account expire immediately while running from the
    >> background or not affect until a user login at the console?
    >>
    >>
    >> Thanks.
    >>
    >> Mugen
    >>

    >
    > A service account, like any other, is affected when it authenticates
    > (unless the account has password never expires set). This will happen
    > when the service starts.
    >
    > As noted, you cannot assign a value corresponding to a date to the
    > pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge
    > value, so all users with passwords older than say 120 days expire,
    > then gradually reduce the value until 90 days is enforced. Or create
    > several text files with user DN's and assign 0 to the pwdLastSet
    > attribute only for users in one of the files at a time. Perhaps one
    > group per week. After all have been forced to change their password,
    > set maxPwdAge to 90 days.


    Richards method above is my preference for reducing password lifetimes or
    first time pasword age restrictions of user passwords assured of being 999
    days or newer. Those older accounts still get immediatly flagged if they
    haven't changed pwds in less than (pwdmax setting) days. (they should
    probably get flogged for it instead of flagged for it, but that's another
    thread).

    -1 method helps where a large number of new or migrated users all have the
    same pwdage suffering from the trama of just having to change it now :) ...
    or when introducing password expiration for the first time to users that
    have been around a long time.

    Different methods for different circumstances and needs i guess.



    >
    > --
    > Richard Mueller
    > MVP Directory Services
    > Hilltop Lab - http://www.rlmueller.net


    --
    /kj



  5. #5
    Mugen Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date

    Hi Kj and Richard,

    Thanks for your reply!

    I just want to double check if I run a script and set "pwdLastSet" attribute
    to -1 which will reset all the users to today date?
    Because I want to do that first before I enforce password policy to whole
    Domain for "password expire in 90 days". That way, I just email out to
    everyone saying policy has been applied and everyone need to change password
    every 90 days from now on. Otherewise, most of the users will get password
    expire the first day I apply passwrod policy. Hope that make sense...

    Do you know if there is a script I can download for resetting "pwdLastSet"
    to -1 for multiple users or whole Domain?

    Thanks and really appreicate your help!
    Mugen

    "kj [SBS MVP]" wrote:

    > Richard Mueller [MVP] wrote:
    > > "Mugen" <Mugen@discussions.microsoft.com> wrote in message
    > > news:58A47758-E8C8-48D7-BC5A-69EB9D9CD218@microsoft.com...
    > >> Hi,
    > >>
    > >> I am trying to enforce password policy for a Domain. (Enforce
    > >> Password expire very 90 days and minimum 6 characters etc) I am
    > >> running Windows 2003
    > >> AD. But here is the problem, most of the existing users password are
    > >> more than 90 days old which mean their accounts will expire right
    > >> away as soon as
    > >> I enable password policy becasue AD will look at the time stamp of
    > >> pwdLastSet
    > >> attribute.
    > >>
    > >> My question if it is possible to reset the pwdLastSet attribute
    > >> value to certain date. I searched around and found there are two
    > >> value to set ( 0 and
    > >> -1). 0 will make users to change password at next logon but I do not
    > >> want to
    > >> do that. I would hope I can reset to today date or pre-define date.
    > >>
    > >> Another question is what happen to service account that keep running
    > >> on background every minute (But they never login from the console).
    > >> Are those account expire immediately while running from the
    > >> background or not affect until a user login at the console?
    > >>
    > >>
    > >> Thanks.
    > >>
    > >> Mugen
    > >>

    > >
    > > A service account, like any other, is affected when it authenticates
    > > (unless the account has password never expires set). This will happen
    > > when the service starts.
    > >
    > > As noted, you cannot assign a value corresponding to a date to the
    > > pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge
    > > value, so all users with passwords older than say 120 days expire,
    > > then gradually reduce the value until 90 days is enforced. Or create
    > > several text files with user DN's and assign 0 to the pwdLastSet
    > > attribute only for users in one of the files at a time. Perhaps one
    > > group per week. After all have been forced to change their password,
    > > set maxPwdAge to 90 days.

    >
    > Richards method above is my preference for reducing password lifetimes or
    > first time pasword age restrictions of user passwords assured of being 999
    > days or newer. Those older accounts still get immediatly flagged if they
    > haven't changed pwds in less than (pwdmax setting) days. (they should
    > probably get flogged for it instead of flagged for it, but that's another
    > thread).
    >
    > -1 method helps where a large number of new or migrated users all have the
    > same pwdage suffering from the trama of just having to change it now :) ...
    > or when introducing password expiration for the first time to users that
    > have been around a long time.
    >
    > Different methods for different circumstances and needs i guess.
    >
    >
    >
    > >
    > > --
    > > Richard Mueller
    > > MVP Directory Services
    > > Hilltop Lab - http://www.rlmueller.net

    >
    > --
    > /kj
    >
    >
    > .
    >


  6. #6
    Richard Mueller [MVP] Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date


    "Mugen" <Mugen@discussions.microsoft.com> wrote in message
    news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
    > Hi Kj and Richard,
    >
    > Thanks for your reply!
    >
    > I just want to double check if I run a script and set "pwdLastSet"
    > attribute
    > to -1 which will reset all the users to today date?
    > Because I want to do that first before I enforce password policy to whole
    > Domain for "password expire in 90 days". That way, I just email out to
    > everyone saying policy has been applied and everyone need to change
    > password
    > every 90 days from now on. Otherewise, most of the users will get password
    > expire the first day I apply passwrod policy. Hope that make sense...
    >
    > Do you know if there is a script I can download for resetting "pwdLastSet"
    > to -1 for multiple users or whole Domain?
    >
    > Thanks and really appreicate your help!
    > Mugen


    If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
    The next time the user authenticates, a value corresponding to the current
    date and time is automatically assigned by the system. Still, if you
    assign -1 to everyone today, and they all logon tomorrow, then everyone's
    password will expire on the same day 90 days in the future. I've found this
    to be problem when users are not used to changing passwords. You still might
    what to assign -1 to groups of users to spread out the load on your support.

    You can use ADO in a VBScript program to retrieve the DN of all users (or
    all users in an OU, or all users in a group), enumerate the users, bind to
    each user object, assign -1 to pwdLastSet, and save the changes. For
    example, for all users in the domain:
    ==========
    Option Explicit

    Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser

    ' Setup ADO objects.
    Set adoCommand = CreateObject("ADODB.Command")
    Set adoConnection = CreateObject("ADODB.Connection")
    adoConnection.Provider = "ADsDSOObject"
    adoConnection.Open "Active Directory Provider"
    Set adoCommand.ActiveConnection = adoConnection

    ' Search entire Active Directory domain.
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("defaultNamingContext")
    strBase = "<LDAP://" & strDNSDomain & ">"

    ' Filter on user objects.
    strFilter = "(&(objectCategory=person)(objectClass=user))"

    ' Comma delimited list of attribute values to retrieve.
    strAttributes = "distinguishedName"

    ' Construct the LDAP syntax query.
    strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    adoCommand.CommandText = strQuery
    adoCommand.Properties("Page Size") = 100
    adoCommand.Properties("Timeout") = 30
    adoCommand.Properties("Cache Results") = False

    ' Run the query.
    Set adoRecordset = adoCommand.Execute

    ' Enumerate the resulting recordset.
    Do Until adoRecordset.EOF
    ' Retrieve values.
    strDN = adoRecordset.Fields("distinguishedName").Value
    ' Bind to user object.
    Set objUser = GetObject("LDAP://" & strDN)
    ' Make password not expired.
    objUser.pwdLastSet = -1
    ' Save changes.
    objUser.SetInfo
    ' Move to the next record in the recordset.
    adoRecordset.MoveNext
    Loop

    ' Clean up.
    adoRecordset.Close
    adoConnection.Close
    ==========
    To modify the code for all users in an OU, change the base of the ADO query
    from this:

    strBase = "<LDAP://" & strDNSDomain & ">"

    To specify the DN of the OU, similar to:

    strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"

    To restrict the ADO query to members of a group, you can change the filter
    statement from this:

    strFilter = "(&(objectCategory=person)(objectClass=user))"

    to add a clause specifying the DN of the group. For example (one line):

    strFilter =
    "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"

    I hope this helps.

    --
    Richard Mueller
    MVP Directory Services
    Hilltop Lab - http://www.rlmueller.net
    --



  7. #7
    Mugen Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date

    Hi,

    Thanks for you help!

    I tried this VB script to test individual account in default "users" OU. It
    seems ran successful without any error. I got a Windows script host window
    with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
    attribue of the PwdLastset nothing being changed. It still showing last
    password set was 1 year ago. Here is the VB script I tried and I put asterisk
    at end of the line where I made change.

    Can you take a look what went wrong?

    ' PwdLastSet .vbs
    ' Sample VBScript to force a user to change password at next logon
    ' Author Guy Thomas http://computerperformance.co.uk/
    ' Version 1.1 - May 2005
    ' --------------------------------------------------------------'
    Option Explicit
    Dim objOU, objUser, objRootDSE
    Dim strContainer, strDNSDomain
    Dim intCounter, intPwdValue

    ' Bind to Active Directory Domain
    Set objRootDSE = GetObject("LDAP://RootDSE")
    strDNSDomain = objRootDSE.Get("DefaultNamingContext")

    ' -------------------------------------------------------------'
    ' Important change OU= to reflect your domain
    ' -------------------------------------------------------------'
    strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
    strContainer = strContainer & strDNSDomain
    intCounter = -1 **********
    ' Here we force a reset password date
    intPwdValue = -1 ***********

    ' Loop through OU=, resetting all user accounts
    set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
    For each objUser in objOU
    If objUser.class="user" then
    objUser.Put "PwdLastSet", intPwdValue
    objUser.SetInfo
    End If
    intCounter = intCounter +1
    Next

    ' Optional section to record how many accounts have been set
    WScript.Echo "PwdLastSet = " & intPwdValue _
    & vbCr & "Accounts changed = " & intCounter
    WScript.Quit

    ' End of Sample PwdLastSet VBScript




    "Richard Mueller [MVP]" wrote:

    >
    > "Mugen" <Mugen@discussions.microsoft.com> wrote in message
    > news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
    > > Hi Kj and Richard,
    > >
    > > Thanks for your reply!
    > >
    > > I just want to double check if I run a script and set "pwdLastSet"
    > > attribute
    > > to -1 which will reset all the users to today date?
    > > Because I want to do that first before I enforce password policy to whole
    > > Domain for "password expire in 90 days". That way, I just email out to
    > > everyone saying policy has been applied and everyone need to change
    > > password
    > > every 90 days from now on. Otherewise, most of the users will get password
    > > expire the first day I apply passwrod policy. Hope that make sense...
    > >
    > > Do you know if there is a script I can download for resetting "pwdLastSet"
    > > to -1 for multiple users or whole Domain?
    > >
    > > Thanks and really appreicate your help!
    > > Mugen

    >
    > If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
    > The next time the user authenticates, a value corresponding to the current
    > date and time is automatically assigned by the system. Still, if you
    > assign -1 to everyone today, and they all logon tomorrow, then everyone's
    > password will expire on the same day 90 days in the future. I've found this
    > to be problem when users are not used to changing passwords. You still might
    > what to assign -1 to groups of users to spread out the load on your support.
    >
    > You can use ADO in a VBScript program to retrieve the DN of all users (or
    > all users in an OU, or all users in a group), enumerate the users, bind to
    > each user object, assign -1 to pwdLastSet, and save the changes. For
    > example, for all users in the domain:
    > ==========
    > Option Explicit
    >
    > Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    > Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
    >
    > ' Setup ADO objects.
    > Set adoCommand = CreateObject("ADODB.Command")
    > Set adoConnection = CreateObject("ADODB.Connection")
    > adoConnection.Provider = "ADsDSOObject"
    > adoConnection.Open "Active Directory Provider"
    > Set adoCommand.ActiveConnection = adoConnection
    >
    > ' Search entire Active Directory domain.
    > Set objRootDSE = GetObject("LDAP://RootDSE")
    > strDNSDomain = objRootDSE.Get("defaultNamingContext")
    > strBase = "<LDAP://" & strDNSDomain & ">"
    >
    > ' Filter on user objects.
    > strFilter = "(&(objectCategory=person)(objectClass=user))"
    >
    > ' Comma delimited list of attribute values to retrieve.
    > strAttributes = "distinguishedName"
    >
    > ' Construct the LDAP syntax query.
    > strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    > adoCommand.CommandText = strQuery
    > adoCommand.Properties("Page Size") = 100
    > adoCommand.Properties("Timeout") = 30
    > adoCommand.Properties("Cache Results") = False
    >
    > ' Run the query.
    > Set adoRecordset = adoCommand.Execute
    >
    > ' Enumerate the resulting recordset.
    > Do Until adoRecordset.EOF
    > ' Retrieve values.
    > strDN = adoRecordset.Fields("distinguishedName").Value
    > ' Bind to user object.
    > Set objUser = GetObject("LDAP://" & strDN)
    > ' Make password not expired.
    > objUser.pwdLastSet = -1
    > ' Save changes.
    > objUser.SetInfo
    > ' Move to the next record in the recordset.
    > adoRecordset.MoveNext
    > Loop
    >
    > ' Clean up.
    > adoRecordset.Close
    > adoConnection.Close
    > ==========
    > To modify the code for all users in an OU, change the base of the ADO query
    > from this:
    >
    > strBase = "<LDAP://" & strDNSDomain & ">"
    >
    > To specify the DN of the OU, similar to:
    >
    > strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
    >
    > To restrict the ADO query to members of a group, you can change the filter
    > statement from this:
    >
    > strFilter = "(&(objectCategory=person)(objectClass=user))"
    >
    > to add a clause specifying the DN of the group. For example (one line):
    >
    > strFilter =
    > "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
    >
    > I hope this helps.
    >
    > --
    > Richard Mueller
    > MVP Directory Services
    > Hilltop Lab - http://www.rlmueller.net
    > --
    >
    >
    > .
    >


  8. #8
    Mugen Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date

    Hi,

    Anyone able to review the script I treid why not working?

    Thanks.

    "Mugen" wrote:

    > Hi,
    >
    > Thanks for you help!
    >
    > I tried this VB script to test individual account in default "users" OU. It
    > seems ran successful without any error. I got a Windows script host window
    > with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
    > attribue of the PwdLastset nothing being changed. It still showing last
    > password set was 1 year ago. Here is the VB script I tried and I put asterisk
    > at end of the line where I made change.
    >
    > Can you take a look what went wrong?
    >
    > ' PwdLastSet .vbs
    > ' Sample VBScript to force a user to change password at next logon
    > ' Author Guy Thomas http://computerperformance.co.uk/
    > ' Version 1.1 - May 2005
    > ' --------------------------------------------------------------'
    > Option Explicit
    > Dim objOU, objUser, objRootDSE
    > Dim strContainer, strDNSDomain
    > Dim intCounter, intPwdValue
    >
    > ' Bind to Active Directory Domain
    > Set objRootDSE = GetObject("LDAP://RootDSE")
    > strDNSDomain = objRootDSE.Get("DefaultNamingContext")
    >
    > ' -------------------------------------------------------------'
    > ' Important change OU= to reflect your domain
    > ' -------------------------------------------------------------'
    > strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
    > strContainer = strContainer & strDNSDomain
    > intCounter = -1 **********
    > ' Here we force a reset password date
    > intPwdValue = -1 ***********
    >
    > ' Loop through OU=, resetting all user accounts
    > set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
    > For each objUser in objOU
    > If objUser.class="user" then
    > objUser.Put "PwdLastSet", intPwdValue
    > objUser.SetInfo
    > End If
    > intCounter = intCounter +1
    > Next
    >
    > ' Optional section to record how many accounts have been set
    > WScript.Echo "PwdLastSet = " & intPwdValue _
    > & vbCr & "Accounts changed = " & intCounter
    > WScript.Quit
    >
    > ' End of Sample PwdLastSet VBScript
    >
    >
    >
    >
    > "Richard Mueller [MVP]" wrote:
    >
    > >
    > > "Mugen" <Mugen@discussions.microsoft.com> wrote in message
    > > news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
    > > > Hi Kj and Richard,
    > > >
    > > > Thanks for your reply!
    > > >
    > > > I just want to double check if I run a script and set "pwdLastSet"
    > > > attribute
    > > > to -1 which will reset all the users to today date?
    > > > Because I want to do that first before I enforce password policy to whole
    > > > Domain for "password expire in 90 days". That way, I just email out to
    > > > everyone saying policy has been applied and everyone need to change
    > > > password
    > > > every 90 days from now on. Otherewise, most of the users will get password
    > > > expire the first day I apply passwrod policy. Hope that make sense...
    > > >
    > > > Do you know if there is a script I can download for resetting "pwdLastSet"
    > > > to -1 for multiple users or whole Domain?
    > > >
    > > > Thanks and really appreicate your help!
    > > > Mugen

    > >
    > > If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
    > > The next time the user authenticates, a value corresponding to the current
    > > date and time is automatically assigned by the system. Still, if you
    > > assign -1 to everyone today, and they all logon tomorrow, then everyone's
    > > password will expire on the same day 90 days in the future. I've found this
    > > to be problem when users are not used to changing passwords. You still might
    > > what to assign -1 to groups of users to spread out the load on your support.
    > >
    > > You can use ADO in a VBScript program to retrieve the DN of all users (or
    > > all users in an OU, or all users in a group), enumerate the users, bind to
    > > each user object, assign -1 to pwdLastSet, and save the changes. For
    > > example, for all users in the domain:
    > > ==========
    > > Option Explicit
    > >
    > > Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    > > Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
    > >
    > > ' Setup ADO objects.
    > > Set adoCommand = CreateObject("ADODB.Command")
    > > Set adoConnection = CreateObject("ADODB.Connection")
    > > adoConnection.Provider = "ADsDSOObject"
    > > adoConnection.Open "Active Directory Provider"
    > > Set adoCommand.ActiveConnection = adoConnection
    > >
    > > ' Search entire Active Directory domain.
    > > Set objRootDSE = GetObject("LDAP://RootDSE")
    > > strDNSDomain = objRootDSE.Get("defaultNamingContext")
    > > strBase = "<LDAP://" & strDNSDomain & ">"
    > >
    > > ' Filter on user objects.
    > > strFilter = "(&(objectCategory=person)(objectClass=user))"
    > >
    > > ' Comma delimited list of attribute values to retrieve.
    > > strAttributes = "distinguishedName"
    > >
    > > ' Construct the LDAP syntax query.
    > > strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
    > > adoCommand.CommandText = strQuery
    > > adoCommand.Properties("Page Size") = 100
    > > adoCommand.Properties("Timeout") = 30
    > > adoCommand.Properties("Cache Results") = False
    > >
    > > ' Run the query.
    > > Set adoRecordset = adoCommand.Execute
    > >
    > > ' Enumerate the resulting recordset.
    > > Do Until adoRecordset.EOF
    > > ' Retrieve values.
    > > strDN = adoRecordset.Fields("distinguishedName").Value
    > > ' Bind to user object.
    > > Set objUser = GetObject("LDAP://" & strDN)
    > > ' Make password not expired.
    > > objUser.pwdLastSet = -1
    > > ' Save changes.
    > > objUser.SetInfo
    > > ' Move to the next record in the recordset.
    > > adoRecordset.MoveNext
    > > Loop
    > >
    > > ' Clean up.
    > > adoRecordset.Close
    > > adoConnection.Close
    > > ==========
    > > To modify the code for all users in an OU, change the base of the ADO query
    > > from this:
    > >
    > > strBase = "<LDAP://" & strDNSDomain & ">"
    > >
    > > To specify the DN of the OU, similar to:
    > >
    > > strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
    > >
    > > To restrict the ADO query to members of a group, you can change the filter
    > > statement from this:
    > >
    > > strFilter = "(&(objectCategory=person)(objectClass=user))"
    > >
    > > to add a clause specifying the DN of the group. For example (one line):
    > >
    > > strFilter =
    > > "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
    > >
    > > I hope this helps.
    > >
    > > --
    > > Richard Mueller
    > > MVP Directory Services
    > > Hilltop Lab - http://www.rlmueller.net
    > > --
    > >
    > >
    > > .
    > >


  9. #9
    kj [SBS MVP] Guest

    Re: Is it possible to reset "pwdLastSet" attribute to certain date

    Mugen wrote:
    > Hi,
    >
    > Anyone able to review the script I treid why not working?


    I *think* that Richards script is expecting to enumerate user accounts in an
    OU but you gave it the DN of a single user.

    If true, create an OU and move your test user there and adjust strContainer
    for the OU instead of the CN=


    Otherwise I'm sure Richard or others will correct me (and you). :)

    >
    > Thanks.
    >
    > "Mugen" wrote:
    >
    >> Hi,
    >>
    >> Thanks for you help!
    >>
    >> I tried this VB script to test individual account in default "users"
    >> OU. It seems ran successful without any error. I got a Windows
    >> script host window with "PwdLastSet= -1 and Accounts changed = -1".
    >> However, when I checked the attribue of the PwdLastset nothing being
    >> changed. It still showing last password set was 1 year ago. Here is
    >> the VB script I tried and I put asterisk at end of the line where I
    >> made change.
    >>
    >> Can you take a look what went wrong?
    >>
    >> ' PwdLastSet .vbs
    >> ' Sample VBScript to force a user to change password at next logon
    >> ' Author Guy Thomas http://computerperformance.co.uk/
    >> ' Version 1.1 - May 2005
    >> ' --------------------------------------------------------------'
    >> Option Explicit
    >> Dim objOU, objUser, objRootDSE
    >> Dim strContainer, strDNSDomain
    >> Dim intCounter, intPwdValue
    >>
    >> ' Bind to Active Directory Domain
    >> Set objRootDSE = GetObject("LDAP://RootDSE")
    >> strDNSDomain = objRootDSE.Get("DefaultNamingContext")
    >>
    >> ' -------------------------------------------------------------'
    >> ' Important change OU= to reflect your domain
    >> ' -------------------------------------------------------------'
    >> strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
    >> strContainer = strContainer & strDNSDomain
    >> intCounter = -1 **********
    >> ' Here we force a reset password date
    >> intPwdValue = -1 ***********
    >>
    >> ' Loop through OU=, resetting all user accounts
    >> set objOU =GetObject("LDAP://cn=test
    >> account,cn=users,dc=domain,dc=com") ***** For each objUser in objOU
    >> If objUser.class="user" then
    >> objUser.Put "PwdLastSet", intPwdValue
    >> objUser.SetInfo
    >> End If
    >> intCounter = intCounter +1
    >> Next
    >>
    >> ' Optional section to record how many accounts have been set
    >> WScript.Echo "PwdLastSet = " & intPwdValue _
    >> & vbCr & "Accounts changed = " & intCounter
    >> WScript.Quit
    >>
    >> ' End of Sample PwdLastSet VBScript
    >>
    >>
    >>
    >>
    >> "Richard Mueller [MVP]" wrote:
    >>
    >>>
    >>> "Mugen" <Mugen@discussions.microsoft.com> wrote in message
    >>> news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
    >>>> Hi Kj and Richard,
    >>>>
    >>>> Thanks for your reply!
    >>>>
    >>>> I just want to double check if I run a script and set "pwdLastSet"
    >>>> attribute
    >>>> to -1 which will reset all the users to today date?
    >>>> Because I want to do that first before I enforce password policy
    >>>> to whole Domain for "password expire in 90 days". That way, I just
    >>>> email out to everyone saying policy has been applied and everyone
    >>>> need to change password
    >>>> every 90 days from now on. Otherewise, most of the users will get
    >>>> password expire the first day I apply passwrod policy. Hope that
    >>>> make sense...
    >>>>
    >>>> Do you know if there is a script I can download for resetting
    >>>> "pwdLastSet" to -1 for multiple users or whole Domain?
    >>>>
    >>>> Thanks and really appreicate your help!
    >>>> Mugen
    >>>
    >>> If you assign -1 to pwdLastSet, this assigns a huge number to the
    >>> attribute. The next time the user authenticates, a value
    >>> corresponding to the current date and time is automatically
    >>> assigned by the system. Still, if you
    >>> assign -1 to everyone today, and they all logon tomorrow, then
    >>> everyone's password will expire on the same day 90 days in the
    >>> future. I've found this to be problem when users are not used to
    >>> changing passwords. You still might what to assign -1 to groups of
    >>> users to spread out the load on your support.
    >>>
    >>> You can use ADO in a VBScript program to retrieve the DN of all
    >>> users (or all users in an OU, or all users in a group), enumerate
    >>> the users, bind to each user object, assign -1 to pwdLastSet, and
    >>> save the changes. For example, for all users in the domain:
    >>> ==========
    >>> Option Explicit
    >>>
    >>> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
    >>> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
    >>>
    >>> ' Setup ADO objects.
    >>> Set adoCommand = CreateObject("ADODB.Command")
    >>> Set adoConnection = CreateObject("ADODB.Connection")
    >>> adoConnection.Provider = "ADsDSOObject"
    >>> adoConnection.Open "Active Directory Provider"
    >>> Set adoCommand.ActiveConnection = adoConnection
    >>>
    >>> ' Search entire Active Directory domain.
    >>> Set objRootDSE = GetObject("LDAP://RootDSE")
    >>> strDNSDomain = objRootDSE.Get("defaultNamingContext")
    >>> strBase = "<LDAP://" & strDNSDomain & ">"
    >>>
    >>> ' Filter on user objects.
    >>> strFilter = "(&(objectCategory=person)(objectClass=user))"
    >>>
    >>> ' Comma delimited list of attribute values to retrieve.
    >>> strAttributes = "distinguishedName"
    >>>
    >>> ' Construct the LDAP syntax query.
    >>> strQuery = strBase & ";" & strFilter & ";" & strAttributes &
    >>> ";subtree" adoCommand.CommandText = strQuery
    >>> adoCommand.Properties("Page Size") = 100
    >>> adoCommand.Properties("Timeout") = 30
    >>> adoCommand.Properties("Cache Results") = False
    >>>
    >>> ' Run the query.
    >>> Set adoRecordset = adoCommand.Execute
    >>>
    >>> ' Enumerate the resulting recordset.
    >>> Do Until adoRecordset.EOF
    >>> ' Retrieve values.
    >>> strDN = adoRecordset.Fields("distinguishedName").Value
    >>> ' Bind to user object.
    >>> Set objUser = GetObject("LDAP://" & strDN)
    >>> ' Make password not expired.
    >>> objUser.pwdLastSet = -1
    >>> ' Save changes.
    >>> objUser.SetInfo
    >>> ' Move to the next record in the recordset.
    >>> adoRecordset.MoveNext
    >>> Loop
    >>>
    >>> ' Clean up.
    >>> adoRecordset.Close
    >>> adoConnection.Close
    >>> ==========
    >>> To modify the code for all users in an OU, change the base of the
    >>> ADO query from this:
    >>>
    >>> strBase = "<LDAP://" & strDNSDomain & ">"
    >>>
    >>> To specify the DN of the OU, similar to:
    >>>
    >>> strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
    >>>
    >>> To restrict the ADO query to members of a group, you can change the
    >>> filter statement from this:
    >>>
    >>> strFilter = "(&(objectCategory=person)(objectClass=user))"
    >>>
    >>> to add a clause specifying the DN of the group. For example (one
    >>> line):
    >>>
    >>> strFilter =
    >>> "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
    >>>
    >>> I hope this helps.
    >>>
    >>> --
    >>> Richard Mueller
    >>> MVP Directory Services
    >>> Hilltop Lab - http://www.rlmueller.net
    >>> --
    >>>
    >>>
    >>> .


    --
    /kj



Similar Threads

  1. Replies: 2
    Last Post: 30-08-2011, 10:47 PM
  2. iBook G4 12" reset date and time after shut down
    By Tristyn in forum Portable Devices
    Replies: 3
    Last Post: 10-11-2010, 06:50 PM
  3. Replies: 6
    Last Post: 18-05-2010, 12:27 AM
  4. Can't remove "Read Only" attribute
    By Lupin in forum Windows XP Support
    Replies: 5
    Last Post: 02-05-2010, 10:38 PM
  5. Missing "memberof" ldap attribute
    By GANGSTA in forum Active Directory
    Replies: 1
    Last Post: 26-11-2009, 02:29 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •