Password Expiration

Sponsored Links

We are running Active Directory on Windows 2003 server. We setup a policy
that users need to change password every 90 days. Is there a way to setup
one particular user account so that the password will expire on a certain
date (i.e. September 30, 2008) instead of expiring every 90 days?

Thanks.

Diane,
maximum password age affecting domain user accounts is a domain-level
setting - unless you are running Windows Server 2008 functional level
domain...
You can use a workaround by creating a custom script that will force the
designated user to change the password at the next logon and schedule it to
run on the target date...

hth
Marcin

Thanks for your prompt response.

Do you have any recommendation how I can go about creating a custom script?

"Marcin" <marcin@community.nospam> wrote in message
news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
> Diane,
> maximum password age affecting domain user accounts is a domain-level
> setting - unless you are running Windows Server 2008 functional level
> domain...
> You can use a workaround by creating a custom script that will force the
> designated user to change the password at the next logon and schedule it
> to run on the target date...
>
> hth
> Marcin

The VBScript program could be similar to:
==========
Option Explicit
Dim objUser

' Bind to the specific user object, using the full Distinguished Name.
Set objUser = GetObject("LDAP://cn=Jim
Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")

' Expire the password so it must be change at next logon.
objUser.pwdLastSet = 0

' Save Changes.
objUser.SetInfo
==========
Whenever this script runs, the user will need to change their password the
next time they logon. The tricky part is determining the Distinguished Name
of the user.

--
Richard Mueller
Microsoft MVP Scripting and ADSI
Hilltop Lab - http://www.rlmueller.net
--

"Diane Walker" <ett9300@yahoo.com> wrote in message
news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
> Thanks for your prompt response.
>
> Do you have any recommendation how I can go about creating a custom
> script?
>
> "Marcin" <marcin@community.nospam> wrote in message
> news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
>> Diane,
>> maximum password age affecting domain user accounts is a domain-level
>> setting - unless you are running Windows Server 2008 functional level
>> domain...
>> You can use a workaround by creating a custom script that will force the
>> designated user to change the password at the next logon and schedule it
>> to run on the target date...
>>
>> hth
>> Marcin
>
>

Thanks very much.

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:Oa9s$oGfIHA.4164@TK2MSFTNGP05.phx.gbl...
> The VBScript program could be similar to:
> ==========
> Option Explicit
> Dim objUser
>
> ' Bind to the specific user object, using the full Distinguished Name.
> Set objUser = GetObject("LDAP://cn=Jim
> Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")
>
> ' Expire the password so it must be change at next logon.
> objUser.pwdLastSet = 0
>
> ' Save Changes.
> objUser.SetInfo
> ==========
> Whenever this script runs, the user will need to change their password the
> next time they logon. The tricky part is determining the Distinguished
Name
> of the user.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "Diane Walker" <ett9300@yahoo.com> wrote in message
> news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
> > Thanks for your prompt response.
> >
> > Do you have any recommendation how I can go about creating a custom
> > script?
> >
> > "Marcin" <marcin@community.nospam> wrote in message
> > news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
> >> Diane,
> >> maximum password age affecting domain user accounts is a domain-level
> >> setting - unless you are running Windows Server 2008 functional level
> >> domain...
> >> You can use a workaround by creating a custom script that will force
the
> >> designated user to change the password at the next logon and schedule
it
> >> to run on the target date...
> >>
> >> hth
> >> Marcin
> >
> >
>
>
>

Is it possible to write a script so that the password will expire on a
certain date such as June 30, 2008? Thanks.

"Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
message news:Oa9s$oGfIHA.4164@TK2MSFTNGP05.phx.gbl...
> The VBScript program could be similar to:
> ==========
> Option Explicit
> Dim objUser
>
> ' Bind to the specific user object, using the full Distinguished Name.
> Set objUser = GetObject("LDAP://cn=Jim
> Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")
>
> ' Expire the password so it must be change at next logon.
> objUser.pwdLastSet = 0
>
> ' Save Changes.
> objUser.SetInfo
> ==========
> Whenever this script runs, the user will need to change their password the
> next time they logon. The tricky part is determining the Distinguished
Name
> of the user.
>
> --
> Richard Mueller
> Microsoft MVP Scripting and ADSI
> Hilltop Lab - http://www.rlmueller.net
> --
>
> "Diane Walker" <ett9300@yahoo.com> wrote in message
> news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
> > Thanks for your prompt response.
> >
> > Do you have any recommendation how I can go about creating a custom
> > script?
> >
> > "Marcin" <marcin@community.nospam> wrote in message
> > news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
> >> Diane,
> >> maximum password age affecting domain user accounts is a domain-level
> >> setting - unless you are running Windows Server 2008 functional level
> >> domain...
> >> You can use a workaround by creating a custom script that will force
the
> >> designated user to change the password at the next logon and schedule
it
> >> to run on the target date...
> >>
> >> hth
> >> Marcin
> >
> >
>
>
>

In message <ehMl3CnfIHA.6136@TK2MSFTNGP03.phx.gbl> "Diane Walker"
<ett9300@yahoo.com> wrote:

>Is it possible to write a script so that the password will expire on a
>certain date such as June 30, 2008? Thanks.

I have not tested this, but in theory, couldn't you run the same script
but inserting a valid date for the last-changed, instead of "0"?

You'll need to do the math and make the last-changed date 'x' days in
the past (where 'x' is the max-age of passwords as defined by your group
policies).

Again, I haven't tested this, someone smarter then myself might know if
this works in the real world or not.

http://www.petri.co.il/ldap_search_s...d_exchange.htm
has a link to help you convert dates.

You can only set pwdLastSet to 2 values; 0 and -1. 0 forces "password must
be changed at next logon" and -1 tells the directory to set the last changed
date to "now", essentially giving the user a new lease on their current
password for the entire expiration interval. You can't set it to a specific
date value though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Diane Walker" <ett9300@yahoo.com> wrote in message
news:ehMl3CnfIHA.6136@TK2MSFTNGP03.phx.gbl...
> Is it possible to write a script so that the password will expire on a
> certain date such as June 30, 2008? Thanks.
>
> "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
> message news:Oa9s$oGfIHA.4164@TK2MSFTNGP05.phx.gbl...
>> The VBScript program could be similar to:
>> ==========
>> Option Explicit
>> Dim objUser
>>
>> ' Bind to the specific user object, using the full Distinguished Name.
>> Set objUser = GetObject("LDAP://cn=Jim
>> Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")
>>
>> ' Expire the password so it must be change at next logon.
>> objUser.pwdLastSet = 0
>>
>> ' Save Changes.
>> objUser.SetInfo
>> ==========
>> Whenever this script runs, the user will need to change their password
>> the
>> next time they logon. The tricky part is determining the Distinguished
> Name
>> of the user.
>>
>> --
>> Richard Mueller
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab - http://www.rlmueller.net
>> --
>>
>> "Diane Walker" <ett9300@yahoo.com> wrote in message
>> news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
>> > Thanks for your prompt response.
>> >
>> > Do you have any recommendation how I can go about creating a custom
>> > script?
>> >
>> > "Marcin" <marcin@community.nospam> wrote in message
>> > news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
>> >> Diane,
>> >> maximum password age affecting domain user accounts is a domain-level
>> >> setting - unless you are running Windows Server 2008 functional level
>> >> domain...
>> >> You can use a workaround by creating a custom script that will force
> the
>> >> designated user to change the password at the next logon and schedule
> it
>> >> to run on the target date...
>> >>
>> >> hth
>> >> Marcin
>> >
>> >
>>
>>
>>
>
>

In message <dl6ss3dsr71hpnm6b5kscvsagn498j9car@4ax.com> DevilsPGD
<spam_narf_spam@crazyhat.net> wrote:

>Again, I haven't tested this, someone smarter then myself might know if
>this works in the real world or not.

Ahh, I guess not... Joe's post gives a suggestion though :)