Is it possible to reset "pwdLastSet" attribute to certain date?

Hi,

I am trying to enforce password policy for a Domain. (Enforce Password
expire very 90 days and minimum 6 characters etc) I am running Windows 2003
AD. But here is the problem, most of the existing users password are more
than 90 days old which mean their accounts will expire right away as soon as
I enable password policy becasue AD will look at the time stamp of pwdLastSet
attribute.

My question if it is possible to reset the pwdLastSet attribute value to
certain date. I searched around and found there are two value to set ( 0 and
-1). 0 will make users to change password at next logon but I do not want to
do that. I would hope I can reset to today date or pre-define date.

Another question is what happen to service account that keep running on
background every minute (But they never login from the console). Are those
account expire immediately while running from the background or not affect
until a user login at the console?


Thanks.

Mugen

0 means expired, -1 says the password was just set and the 'count down to
policy (90 days) starts a new.

You can keep doing the -1 until you get the inital user 'expiration stagger'
you want, but I wouldn't suggest pushing these out very long at all. A few
days to a few weeks ( if you have alot of users).


Mugen wrote:
> Hi,
>
> I am trying to enforce password policy for a Domain. (Enforce Password
> expire very 90 days and minimum 6 characters etc) I am running
> Windows 2003 AD. But here is the problem, most of the existing users
> password are more than 90 days old which mean their accounts will
> expire right away as soon as I enable password policy becasue AD will
> look at the time stamp of pwdLastSet attribute.
>
> My question if it is possible to reset the pwdLastSet attribute value
> to certain date. I searched around and found there are two value to
> set ( 0 and -1). 0 will make users to change password at next logon
> but I do not want to do that. I would hope I can reset to today date
> or pre-define date.
>
> Another question is what happen to service account that keep running
> on background every minute (But they never login from the console).
> Are those account expire immediately while running from the
> background or not affect until a user login at the console?
>
>
> Thanks.
>
> Mugen

--
/kj

"Mugen" <Mugen@discussions.microsoft.com> wrote in message
news:58A47758-E8C8-48D7-BC5A-69EB9D9CD218@microsoft.com...
> Hi,
>
> I am trying to enforce password policy for a Domain. (Enforce Password
> expire very 90 days and minimum 6 characters etc) I am running Windows
> 2003
> AD. But here is the problem, most of the existing users password are more
> than 90 days old which mean their accounts will expire right away as soon
> as
> I enable password policy becasue AD will look at the time stamp of
> pwdLastSet
> attribute.
>
> My question if it is possible to reset the pwdLastSet attribute value to
> certain date. I searched around and found there are two value to set ( 0
> and
> -1). 0 will make users to change password at next logon but I do not want
> to
> do that. I would hope I can reset to today date or pre-define date.
>
> Another question is what happen to service account that keep running on
> background every minute (But they never login from the console). Are those
> account expire immediately while running from the background or not affect
> until a user login at the console?
>
>
> Thanks.
>
> Mugen
>

A service account, like any other, is affected when it authenticates (unless
the account has password never expires set). This will happen when the
service starts.

As noted, you cannot assign a value corresponding to a date to the
pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge value,
so all users with passwords older than say 120 days expire, then gradually
reduce the value until 90 days is enforced. Or create several text files
with user DN's and assign 0 to the pwdLastSet attribute only for users in
one of the files at a time. Perhaps one group per week. After all have been
forced to change their password, set maxPwdAge to 90 days.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Richard Mueller [MVP] wrote:
> "Mugen" <Mugen@discussions.microsoft.com> wrote in message
> news:58A47758-E8C8-48D7-BC5A-69EB9D9CD218@microsoft.com...
>> Hi,
>>
>> I am trying to enforce password policy for a Domain. (Enforce
>> Password expire very 90 days and minimum 6 characters etc) I am
>> running Windows 2003
>> AD. But here is the problem, most of the existing users password are
>> more than 90 days old which mean their accounts will expire right
>> away as soon as
>> I enable password policy becasue AD will look at the time stamp of
>> pwdLastSet
>> attribute.
>>
>> My question if it is possible to reset the pwdLastSet attribute
>> value to certain date. I searched around and found there are two
>> value to set ( 0 and
>> -1). 0 will make users to change password at next logon but I do not
>> want to
>> do that. I would hope I can reset to today date or pre-define date.
>>
>> Another question is what happen to service account that keep running
>> on background every minute (But they never login from the console).
>> Are those account expire immediately while running from the
>> background or not affect until a user login at the console?
>>
>>
>> Thanks.
>>
>> Mugen
>>
>
> A service account, like any other, is affected when it authenticates
> (unless the account has password never expires set). This will happen
> when the service starts.
>
> As noted, you cannot assign a value corresponding to a date to the
> pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge
> value, so all users with passwords older than say 120 days expire,
> then gradually reduce the value until 90 days is enforced. Or create
> several text files with user DN's and assign 0 to the pwdLastSet
> attribute only for users in one of the files at a time. Perhaps one
> group per week. After all have been forced to change their password,
> set maxPwdAge to 90 days.

Richards method above is my preference for reducing password lifetimes or
first time pasword age restrictions of user passwords assured of being 999
days or newer. Those older accounts still get immediatly flagged if they
haven't changed pwds in less than (pwdmax setting) days. (they should
probably get flogged for it instead of flagged for it, but that's another
thread).

-1 method helps where a large number of new or migrated users all have the
same pwdage suffering from the trama of just having to change it now :) ...
or when introducing password expiration for the first time to users that
have been around a long time.

Different methods for different circumstances and needs i guess.



>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net

--
/kj

Hi Kj and Richard,

Thanks for your reply!

I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to
everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...

Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?

Thanks and really appreicate your help!
Mugen

"kj [SBS MVP]" wrote:

> Richard Mueller [MVP] wrote:
> > "Mugen" <Mugen@discussions.microsoft.com> wrote in message
> > news:58A47758-E8C8-48D7-BC5A-69EB9D9CD218@microsoft.com...
> >> Hi,
> >>
> >> I am trying to enforce password policy for a Domain. (Enforce
> >> Password expire very 90 days and minimum 6 characters etc) I am
> >> running Windows 2003
> >> AD. But here is the problem, most of the existing users password are
> >> more than 90 days old which mean their accounts will expire right
> >> away as soon as
> >> I enable password policy becasue AD will look at the time stamp of
> >> pwdLastSet
> >> attribute.
> >>
> >> My question if it is possible to reset the pwdLastSet attribute
> >> value to certain date. I searched around and found there are two
> >> value to set ( 0 and
> >> -1). 0 will make users to change password at next logon but I do not
> >> want to
> >> do that. I would hope I can reset to today date or pre-define date.
> >>
> >> Another question is what happen to service account that keep running
> >> on background every minute (But they never login from the console).
> >> Are those account expire immediately while running from the
> >> background or not affect until a user login at the console?
> >>
> >>
> >> Thanks.
> >>
> >> Mugen
> >>
> >
> > A service account, like any other, is affected when it authenticates
> > (unless the account has password never expires set). This will happen
> > when the service starts.
> >
> > As noted, you cannot assign a value corresponding to a date to the
> > pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge
> > value, so all users with passwords older than say 120 days expire,
> > then gradually reduce the value until 90 days is enforced. Or create
> > several text files with user DN's and assign 0 to the pwdLastSet
> > attribute only for users in one of the files at a time. Perhaps one
> > group per week. After all have been forced to change their password,
> > set maxPwdAge to 90 days.
>
> Richards method above is my preference for reducing password lifetimes or
> first time pasword age restrictions of user passwords assured of being 999
> days or newer. Those older accounts still get immediatly flagged if they
> haven't changed pwds in less than (pwdmax setting) days. (they should
> probably get flogged for it instead of flagged for it, but that's another
> thread).
>
> -1 method helps where a large number of new or migrated users all have the
> same pwdage suffering from the trama of just having to change it now :) ...
> or when introducing password expiration for the first time to users that
> have been around a long time.
>
> Different methods for different circumstances and needs i guess.
>
>
>
> >
> > --
> > Richard Mueller
> > MVP Directory Services
> > Hilltop Lab - http://www.rlmueller.net
>
> --
> /kj
>
>
> .
>

"Mugen" <Mugen@discussions.microsoft.com> wrote in message
news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
> Hi Kj and Richard,
>
> Thanks for your reply!
>
> I just want to double check if I run a script and set "pwdLastSet"
> attribute
> to -1 which will reset all the users to today date?
> Because I want to do that first before I enforce password policy to whole
> Domain for "password expire in 90 days". That way, I just email out to
> everyone saying policy has been applied and everyone need to change
> password
> every 90 days from now on. Otherewise, most of the users will get password
> expire the first day I apply passwrod policy. Hope that make sense...
>
> Do you know if there is a script I can download for resetting "pwdLastSet"
> to -1 for multiple users or whole Domain?
>
> Thanks and really appreicate your help!
> Mugen

If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
The next time the user authenticates, a value corresponding to the current
date and time is automatically assigned by the system. Still, if you
assign -1 to everyone today, and they all logon tomorrow, then everyone's
password will expire on the same day 90 days in the future. I've found this
to be problem when users are not used to changing passwords. You still might
what to assign -1 to groups of users to spread out the load on your support.

You can use ADO in a VBScript program to retrieve the DN of all users (or
all users in an OU, or all users in a group), enumerate the users, bind to
each user object, assign -1 to pwdLastSet, and save the changes. For
example, for all users in the domain:
==========
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the ADO query
from this:

strBase = "<LDAP://" & strDNSDomain & ">"

To specify the DN of the OU, similar to:

strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"

To restrict the ADO query to members of a group, you can change the filter
statement from this:

strFilter = "(&(objectCategory=person)(objectClass=user))"

to add a clause specifying the DN of the group. For example (one line):

strFilter =
"(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"

I hope this helps.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

Hi,

Thanks for you help!

I tried this VB script to test individual account in default "users" OU. It
seems ran successful without any error. I got a Windows script host window
with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
attribue of the PwdLastset nothing being changed. It still showing last
password set was 1 year ago. Here is the VB script I tried and I put asterisk
at end of the line where I made change.

Can you take a look what went wrong?

' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
strContainer = strContainer & strDNSDomain
intCounter = -1 **********
' Here we force a reset password date
intPwdValue = -1 ***********

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit

' End of Sample PwdLastSet VBScript




"Richard Mueller [MVP]" wrote:

>
> "Mugen" <Mugen@discussions.microsoft.com> wrote in message
> news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
> > Hi Kj and Richard,
> >
> > Thanks for your reply!
> >
> > I just want to double check if I run a script and set "pwdLastSet"
> > attribute
> > to -1 which will reset all the users to today date?
> > Because I want to do that first before I enforce password policy to whole
> > Domain for "password expire in 90 days". That way, I just email out to
> > everyone saying policy has been applied and everyone need to change
> > password
> > every 90 days from now on. Otherewise, most of the users will get password
> > expire the first day I apply passwrod policy. Hope that make sense...
> >
> > Do you know if there is a script I can download for resetting "pwdLastSet"
> > to -1 for multiple users or whole Domain?
> >
> > Thanks and really appreicate your help!
> > Mugen
>
> If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
> The next time the user authenticates, a value corresponding to the current
> date and time is automatically assigned by the system. Still, if you
> assign -1 to everyone today, and they all logon tomorrow, then everyone's
> password will expire on the same day 90 days in the future. I've found this
> to be problem when users are not used to changing passwords. You still might
> what to assign -1 to groups of users to spread out the load on your support.
>
> You can use ADO in a VBScript program to retrieve the DN of all users (or
> all users in an OU, or all users in a group), enumerate the users, bind to
> each user object, assign -1 to pwdLastSet, and save the changes. For
> example, for all users in the domain:
> ==========
> Option Explicit
>
> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
>
> ' Setup ADO objects.
> Set adoCommand = CreateObject("ADODB.Command")
> Set adoConnection = CreateObject("ADODB.Connection")
> adoConnection.Provider = "ADsDSOObject"
> adoConnection.Open "Active Directory Provider"
> Set adoCommand.ActiveConnection = adoConnection
>
> ' Search entire Active Directory domain.
> Set objRootDSE = GetObject("LDAP://RootDSE")
> strDNSDomain = objRootDSE.Get("defaultNamingContext")
> strBase = "<LDAP://" & strDNSDomain & ">"
>
> ' Filter on user objects.
> strFilter = "(&(objectCategory=person)(objectClass=user))"
>
> ' Comma delimited list of attribute values to retrieve.
> strAttributes = "distinguishedName"
>
> ' Construct the LDAP syntax query.
> strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
> adoCommand.CommandText = strQuery
> adoCommand.Properties("Page Size") = 100
> adoCommand.Properties("Timeout") = 30
> adoCommand.Properties("Cache Results") = False
>
> ' Run the query.
> Set adoRecordset = adoCommand.Execute
>
> ' Enumerate the resulting recordset.
> Do Until adoRecordset.EOF
> ' Retrieve values.
> strDN = adoRecordset.Fields("distinguishedName").Value
> ' Bind to user object.
> Set objUser = GetObject("LDAP://" & strDN)
> ' Make password not expired.
> objUser.pwdLastSet = -1
> ' Save changes.
> objUser.SetInfo
> ' Move to the next record in the recordset.
> adoRecordset.MoveNext
> Loop
>
> ' Clean up.
> adoRecordset.Close
> adoConnection.Close
> ==========
> To modify the code for all users in an OU, change the base of the ADO query
> from this:
>
> strBase = "<LDAP://" & strDNSDomain & ">"
>
> To specify the DN of the OU, similar to:
>
> strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
>
> To restrict the ADO query to members of a group, you can change the filter
> statement from this:
>
> strFilter = "(&(objectCategory=person)(objectClass=user))"
>
> to add a clause specifying the DN of the group. For example (one line):
>
> strFilter =
> "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
>
> I hope this helps.
>
> --
> Richard Mueller
> MVP Directory Services
> Hilltop Lab - http://www.rlmueller.net
> --
>
>
> .
>

Hi,

Anyone able to review the script I treid why not working?

Thanks.

"Mugen" wrote:

> Hi,
>
> Thanks for you help!
>
> I tried this VB script to test individual account in default "users" OU. It
> seems ran successful without any error. I got a Windows script host window
> with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
> attribue of the PwdLastset nothing being changed. It still showing last
> password set was 1 year ago. Here is the VB script I tried and I put asterisk
> at end of the line where I made change.
>
> Can you take a look what went wrong?
>
> ' PwdLastSet .vbs
> ' Sample VBScript to force a user to change password at next logon
> ' Author Guy Thomas http://computerperformance.co.uk/
> ' Version 1.1 - May 2005
> ' --------------------------------------------------------------'
> Option Explicit
> Dim objOU, objUser, objRootDSE
> Dim strContainer, strDNSDomain
> Dim intCounter, intPwdValue
>
> ' Bind to Active Directory Domain
> Set objRootDSE = GetObject("LDAP://RootDSE")
> strDNSDomain = objRootDSE.Get("DefaultNamingContext")
>
> ' -------------------------------------------------------------'
> ' Important change OU= to reflect your domain
> ' -------------------------------------------------------------'
> strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
> strContainer = strContainer & strDNSDomain
> intCounter = -1 **********
> ' Here we force a reset password date
> intPwdValue = -1 ***********
>
> ' Loop through OU=, resetting all user accounts
> set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
> For each objUser in objOU
> If objUser.class="user" then
> objUser.Put "PwdLastSet", intPwdValue
> objUser.SetInfo
> End If
> intCounter = intCounter +1
> Next
>
> ' Optional section to record how many accounts have been set
> WScript.Echo "PwdLastSet = " & intPwdValue _
> & vbCr & "Accounts changed = " & intCounter
> WScript.Quit
>
> ' End of Sample PwdLastSet VBScript
>
>
>
>
> "Richard Mueller [MVP]" wrote:
>
> >
> > "Mugen" <Mugen@discussions.microsoft.com> wrote in message
> > news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
> > > Hi Kj and Richard,
> > >
> > > Thanks for your reply!
> > >
> > > I just want to double check if I run a script and set "pwdLastSet"
> > > attribute
> > > to -1 which will reset all the users to today date?
> > > Because I want to do that first before I enforce password policy to whole
> > > Domain for "password expire in 90 days". That way, I just email out to
> > > everyone saying policy has been applied and everyone need to change
> > > password
> > > every 90 days from now on. Otherewise, most of the users will get password
> > > expire the first day I apply passwrod policy. Hope that make sense...
> > >
> > > Do you know if there is a script I can download for resetting "pwdLastSet"
> > > to -1 for multiple users or whole Domain?
> > >
> > > Thanks and really appreicate your help!
> > > Mugen
> >
> > If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
> > The next time the user authenticates, a value corresponding to the current
> > date and time is automatically assigned by the system. Still, if you
> > assign -1 to everyone today, and they all logon tomorrow, then everyone's
> > password will expire on the same day 90 days in the future. I've found this
> > to be problem when users are not used to changing passwords. You still might
> > what to assign -1 to groups of users to spread out the load on your support.
> >
> > You can use ADO in a VBScript program to retrieve the DN of all users (or
> > all users in an OU, or all users in a group), enumerate the users, bind to
> > each user object, assign -1 to pwdLastSet, and save the changes. For
> > example, for all users in the domain:
> > ==========
> > Option Explicit
> >
> > Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
> > Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
> >
> > ' Setup ADO objects.
> > Set adoCommand = CreateObject("ADODB.Command")
> > Set adoConnection = CreateObject("ADODB.Connection")
> > adoConnection.Provider = "ADsDSOObject"
> > adoConnection.Open "Active Directory Provider"
> > Set adoCommand.ActiveConnection = adoConnection
> >
> > ' Search entire Active Directory domain.
> > Set objRootDSE = GetObject("LDAP://RootDSE")
> > strDNSDomain = objRootDSE.Get("defaultNamingContext")
> > strBase = "<LDAP://" & strDNSDomain & ">"
> >
> > ' Filter on user objects.
> > strFilter = "(&(objectCategory=person)(objectClass=user))"
> >
> > ' Comma delimited list of attribute values to retrieve.
> > strAttributes = "distinguishedName"
> >
> > ' Construct the LDAP syntax query.
> > strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
> > adoCommand.CommandText = strQuery
> > adoCommand.Properties("Page Size") = 100
> > adoCommand.Properties("Timeout") = 30
> > adoCommand.Properties("Cache Results") = False
> >
> > ' Run the query.
> > Set adoRecordset = adoCommand.Execute
> >
> > ' Enumerate the resulting recordset.
> > Do Until adoRecordset.EOF
> > ' Retrieve values.
> > strDN = adoRecordset.Fields("distinguishedName").Value
> > ' Bind to user object.
> > Set objUser = GetObject("LDAP://" & strDN)
> > ' Make password not expired.
> > objUser.pwdLastSet = -1
> > ' Save changes.
> > objUser.SetInfo
> > ' Move to the next record in the recordset.
> > adoRecordset.MoveNext
> > Loop
> >
> > ' Clean up.
> > adoRecordset.Close
> > adoConnection.Close
> > ==========
> > To modify the code for all users in an OU, change the base of the ADO query
> > from this:
> >
> > strBase = "<LDAP://" & strDNSDomain & ">"
> >
> > To specify the DN of the OU, similar to:
> >
> > strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
> >
> > To restrict the ADO query to members of a group, you can change the filter
> > statement from this:
> >
> > strFilter = "(&(objectCategory=person)(objectClass=user))"
> >
> > to add a clause specifying the DN of the group. For example (one line):
> >
> > strFilter =
> > "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
> >
> > I hope this helps.
> >
> > --
> > Richard Mueller
> > MVP Directory Services
> > Hilltop Lab - http://www.rlmueller.net
> > --
> >
> >
> > .
> >

Mugen wrote:
> Hi,
>
> Anyone able to review the script I treid why not working?

I *think* that Richards script is expecting to enumerate user accounts in an
OU but you gave it the DN of a single user.

If true, create an OU and move your test user there and adjust strContainer
for the OU instead of the CN=


Otherwise I'm sure Richard or others will correct me (and you). :)

>
> Thanks.
>
> "Mugen" wrote:
>
>> Hi,
>>
>> Thanks for you help!
>>
>> I tried this VB script to test individual account in default "users"
>> OU. It seems ran successful without any error. I got a Windows
>> script host window with "PwdLastSet= -1 and Accounts changed = -1".
>> However, when I checked the attribue of the PwdLastset nothing being
>> changed. It still showing last password set was 1 year ago. Here is
>> the VB script I tried and I put asterisk at end of the line where I
>> made change.
>>
>> Can you take a look what went wrong?
>>
>> ' PwdLastSet .vbs
>> ' Sample VBScript to force a user to change password at next logon
>> ' Author Guy Thomas http://computerperformance.co.uk/
>> ' Version 1.1 - May 2005
>> ' --------------------------------------------------------------'
>> Option Explicit
>> Dim objOU, objUser, objRootDSE
>> Dim strContainer, strDNSDomain
>> Dim intCounter, intPwdValue
>>
>> ' Bind to Active Directory Domain
>> Set objRootDSE = GetObject("LDAP://RootDSE")
>> strDNSDomain = objRootDSE.Get("DefaultNamingContext")
>>
>> ' -------------------------------------------------------------'
>> ' Important change OU= to reflect your domain
>> ' -------------------------------------------------------------'
>> strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
>> strContainer = strContainer & strDNSDomain
>> intCounter = -1 **********
>> ' Here we force a reset password date
>> intPwdValue = -1 ***********
>>
>> ' Loop through OU=, resetting all user accounts
>> set objOU =GetObject("LDAP://cn=test
>> account,cn=users,dc=domain,dc=com") ***** For each objUser in objOU
>> If objUser.class="user" then
>> objUser.Put "PwdLastSet", intPwdValue
>> objUser.SetInfo
>> End If
>> intCounter = intCounter +1
>> Next
>>
>> ' Optional section to record how many accounts have been set
>> WScript.Echo "PwdLastSet = " & intPwdValue _
>> & vbCr & "Accounts changed = " & intCounter
>> WScript.Quit
>>
>> ' End of Sample PwdLastSet VBScript
>>
>>
>>
>>
>> "Richard Mueller [MVP]" wrote:
>>
>>>
>>> "Mugen" <Mugen@discussions.microsoft.com> wrote in message
>>> news:A37AA81D-9251-436C-BAC0-3B9034A6C768@microsoft.com...
>>>> Hi Kj and Richard,
>>>>
>>>> Thanks for your reply!
>>>>
>>>> I just want to double check if I run a script and set "pwdLastSet"
>>>> attribute
>>>> to -1 which will reset all the users to today date?
>>>> Because I want to do that first before I enforce password policy
>>>> to whole Domain for "password expire in 90 days". That way, I just
>>>> email out to everyone saying policy has been applied and everyone
>>>> need to change password
>>>> every 90 days from now on. Otherewise, most of the users will get
>>>> password expire the first day I apply passwrod policy. Hope that
>>>> make sense...
>>>>
>>>> Do you know if there is a script I can download for resetting
>>>> "pwdLastSet" to -1 for multiple users or whole Domain?
>>>>
>>>> Thanks and really appreicate your help!
>>>> Mugen
>>>
>>> If you assign -1 to pwdLastSet, this assigns a huge number to the
>>> attribute. The next time the user authenticates, a value
>>> corresponding to the current date and time is automatically
>>> assigned by the system. Still, if you
>>> assign -1 to everyone today, and they all logon tomorrow, then
>>> everyone's password will expire on the same day 90 days in the
>>> future. I've found this to be problem when users are not used to
>>> changing passwords. You still might what to assign -1 to groups of
>>> users to spread out the load on your support.
>>>
>>> You can use ADO in a VBScript program to retrieve the DN of all
>>> users (or all users in an OU, or all users in a group), enumerate
>>> the users, bind to each user object, assign -1 to pwdLastSet, and
>>> save the changes. For example, for all users in the domain:
>>> ==========
>>> Option Explicit
>>>
>>> Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
>>> Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
>>>
>>> ' Setup ADO objects.
>>> Set adoCommand = CreateObject("ADODB.Command")
>>> Set adoConnection = CreateObject("ADODB.Connection")
>>> adoConnection.Provider = "ADsDSOObject"
>>> adoConnection.Open "Active Directory Provider"
>>> Set adoCommand.ActiveConnection = adoConnection
>>>
>>> ' Search entire Active Directory domain.
>>> Set objRootDSE = GetObject("LDAP://RootDSE")
>>> strDNSDomain = objRootDSE.Get("defaultNamingContext")
>>> strBase = "<LDAP://" & strDNSDomain & ">"
>>>
>>> ' Filter on user objects.
>>> strFilter = "(&(objectCategory=person)(objectClass=user))"
>>>
>>> ' Comma delimited list of attribute values to retrieve.
>>> strAttributes = "distinguishedName"
>>>
>>> ' Construct the LDAP syntax query.
>>> strQuery = strBase & ";" & strFilter & ";" & strAttributes &
>>> ";subtree" adoCommand.CommandText = strQuery
>>> adoCommand.Properties("Page Size") = 100
>>> adoCommand.Properties("Timeout") = 30
>>> adoCommand.Properties("Cache Results") = False
>>>
>>> ' Run the query.
>>> Set adoRecordset = adoCommand.Execute
>>>
>>> ' Enumerate the resulting recordset.
>>> Do Until adoRecordset.EOF
>>> ' Retrieve values.
>>> strDN = adoRecordset.Fields("distinguishedName").Value
>>> ' Bind to user object.
>>> Set objUser = GetObject("LDAP://" & strDN)
>>> ' Make password not expired.
>>> objUser.pwdLastSet = -1
>>> ' Save changes.
>>> objUser.SetInfo
>>> ' Move to the next record in the recordset.
>>> adoRecordset.MoveNext
>>> Loop
>>>
>>> ' Clean up.
>>> adoRecordset.Close
>>> adoConnection.Close
>>> ==========
>>> To modify the code for all users in an OU, change the base of the
>>> ADO query from this:
>>>
>>> strBase = "<LDAP://" & strDNSDomain & ">"
>>>
>>> To specify the DN of the OU, similar to:
>>>
>>> strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
>>>
>>> To restrict the ADO query to members of a group, you can change the
>>> filter statement from this:
>>>
>>> strFilter = "(&(objectCategory=person)(objectClass=user))"
>>>
>>> to add a clause specifying the DN of the group. For example (one
>>> line):
>>>
>>> strFilter =
>>> "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
>>>
>>> I hope this helps.
>>>
>>> --
>>> Richard Mueller
>>> MVP Directory Services
>>> Hilltop Lab - http://www.rlmueller.net
>>> --
>>>
>>>
>>> .

--
/kj