Results 1 to 9 of 9

Thread: Password Expiration

  1. #1
    Diane Walker Guest

    Password Expiration

    We are running Active Directory on Windows 2003 server. We setup a policy
    that users need to change password every 90 days. Is there a way to setup
    one particular user account so that the password will expire on a certain
    date (i.e. September 30, 2008) instead of expiring every 90 days?

    Thanks.



  2. #2
    Marcin Guest

    Re: Password Expiration

    Diane,
    maximum password age affecting domain user accounts is a domain-level
    setting - unless you are running Windows Server 2008 functional level
    domain...
    You can use a workaround by creating a custom script that will force the
    designated user to change the password at the next logon and schedule it to
    run on the target date...

    hth
    Marcin


  3. #3
    Diane Walker Guest

    Re: Password Expiration

    Thanks for your prompt response.

    Do you have any recommendation how I can go about creating a custom script?

    "Marcin" <marcin@community.nospam> wrote in message
    news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
    > Diane,
    > maximum password age affecting domain user accounts is a domain-level
    > setting - unless you are running Windows Server 2008 functional level
    > domain...
    > You can use a workaround by creating a custom script that will force the
    > designated user to change the password at the next logon and schedule it
    > to run on the target date...
    >
    > hth
    > Marcin




  4. #4
    Richard Mueller [MVP] Guest

    Re: Password Expiration

    The VBScript program could be similar to:
    ==========
    Option Explicit
    Dim objUser

    ' Bind to the specific user object, using the full Distinguished Name.
    Set objUser = GetObject("LDAP://cn=Jim
    Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")

    ' Expire the password so it must be change at next logon.
    objUser.pwdLastSet = 0

    ' Save Changes.
    objUser.SetInfo
    ==========
    Whenever this script runs, the user will need to change their password the
    next time they logon. The tricky part is determining the Distinguished Name
    of the user.

    --
    Richard Mueller
    Microsoft MVP Scripting and ADSI
    Hilltop Lab - http://www.rlmueller.net
    --

    "Diane Walker" <ett9300@yahoo.com> wrote in message
    news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
    > Thanks for your prompt response.
    >
    > Do you have any recommendation how I can go about creating a custom
    > script?
    >
    > "Marcin" <marcin@community.nospam> wrote in message
    > news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
    >> Diane,
    >> maximum password age affecting domain user accounts is a domain-level
    >> setting - unless you are running Windows Server 2008 functional level
    >> domain...
    >> You can use a workaround by creating a custom script that will force the
    >> designated user to change the password at the next logon and schedule it
    >> to run on the target date...
    >>
    >> hth
    >> Marcin

    >
    >





  5. #5
    Diane Walker Guest

    Re: Password Expiration

    Thanks very much.

    "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
    message news:Oa9s$oGfIHA.4164@TK2MSFTNGP05.phx.gbl...
    > The VBScript program could be similar to:
    > ==========
    > Option Explicit
    > Dim objUser
    >
    > ' Bind to the specific user object, using the full Distinguished Name.
    > Set objUser = GetObject("LDAP://cn=Jim
    > Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")
    >
    > ' Expire the password so it must be change at next logon.
    > objUser.pwdLastSet = 0
    >
    > ' Save Changes.
    > objUser.SetInfo
    > ==========
    > Whenever this script runs, the user will need to change their password the
    > next time they logon. The tricky part is determining the Distinguished

    Name
    > of the user.
    >
    > --
    > Richard Mueller
    > Microsoft MVP Scripting and ADSI
    > Hilltop Lab - http://www.rlmueller.net
    > --
    >
    > "Diane Walker" <ett9300@yahoo.com> wrote in message
    > news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
    > > Thanks for your prompt response.
    > >
    > > Do you have any recommendation how I can go about creating a custom
    > > script?
    > >
    > > "Marcin" <marcin@community.nospam> wrote in message
    > > news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
    > >> Diane,
    > >> maximum password age affecting domain user accounts is a domain-level
    > >> setting - unless you are running Windows Server 2008 functional level
    > >> domain...
    > >> You can use a workaround by creating a custom script that will force

    the
    > >> designated user to change the password at the next logon and schedule

    it
    > >> to run on the target date...
    > >>
    > >> hth
    > >> Marcin

    > >
    > >

    >
    >
    >




  6. #6
    Diane Walker Guest

    Re: Password Expiration

    Is it possible to write a script so that the password will expire on a
    certain date such as June 30, 2008? Thanks.

    "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
    message news:Oa9s$oGfIHA.4164@TK2MSFTNGP05.phx.gbl...
    > The VBScript program could be similar to:
    > ==========
    > Option Explicit
    > Dim objUser
    >
    > ' Bind to the specific user object, using the full Distinguished Name.
    > Set objUser = GetObject("LDAP://cn=Jim
    > Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")
    >
    > ' Expire the password so it must be change at next logon.
    > objUser.pwdLastSet = 0
    >
    > ' Save Changes.
    > objUser.SetInfo
    > ==========
    > Whenever this script runs, the user will need to change their password the
    > next time they logon. The tricky part is determining the Distinguished

    Name
    > of the user.
    >
    > --
    > Richard Mueller
    > Microsoft MVP Scripting and ADSI
    > Hilltop Lab - http://www.rlmueller.net
    > --
    >
    > "Diane Walker" <ett9300@yahoo.com> wrote in message
    > news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
    > > Thanks for your prompt response.
    > >
    > > Do you have any recommendation how I can go about creating a custom
    > > script?
    > >
    > > "Marcin" <marcin@community.nospam> wrote in message
    > > news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
    > >> Diane,
    > >> maximum password age affecting domain user accounts is a domain-level
    > >> setting - unless you are running Windows Server 2008 functional level
    > >> domain...
    > >> You can use a workaround by creating a custom script that will force

    the
    > >> designated user to change the password at the next logon and schedule

    it
    > >> to run on the target date...
    > >>
    > >> hth
    > >> Marcin

    > >
    > >

    >
    >
    >




  7. #7
    DevilsPGD Guest

    Re: Password Expiration

    In message <ehMl3CnfIHA.6136@TK2MSFTNGP03.phx.gbl> "Diane Walker"
    <ett9300@yahoo.com> wrote:

    >Is it possible to write a script so that the password will expire on a
    >certain date such as June 30, 2008? Thanks.


    I have not tested this, but in theory, couldn't you run the same script
    but inserting a valid date for the last-changed, instead of "0"?

    You'll need to do the math and make the last-changed date 'x' days in
    the past (where 'x' is the max-age of passwords as defined by your group
    policies).

    Again, I haven't tested this, someone smarter then myself might know if
    this works in the real world or not.

    http://www.petri.co.il/ldap_search_s...d_exchange.htm
    has a link to help you convert dates.

  8. #8
    Joe Kaplan Guest

    Re: Password Expiration

    You can only set pwdLastSet to 2 values; 0 and -1. 0 forces "password must
    be changed at next logon" and -1 tells the directory to set the last changed
    date to "now", essentially giving the user a new lease on their current
    password for the entire expiration interval. You can't set it to a specific
    date value though.

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Diane Walker" <ett9300@yahoo.com> wrote in message
    news:ehMl3CnfIHA.6136@TK2MSFTNGP03.phx.gbl...
    > Is it possible to write a script so that the password will expire on a
    > certain date such as June 30, 2008? Thanks.
    >
    > "Richard Mueller [MVP]" <rlmueller-nospam@ameritech.nospam.net> wrote in
    > message news:Oa9s$oGfIHA.4164@TK2MSFTNGP05.phx.gbl...
    >> The VBScript program could be similar to:
    >> ==========
    >> Option Explicit
    >> Dim objUser
    >>
    >> ' Bind to the specific user object, using the full Distinguished Name.
    >> Set objUser = GetObject("LDAP://cn=Jim
    >> Smith,ou=Sales,ou=West,dc=MyDomain,dc=com")
    >>
    >> ' Expire the password so it must be change at next logon.
    >> objUser.pwdLastSet = 0
    >>
    >> ' Save Changes.
    >> objUser.SetInfo
    >> ==========
    >> Whenever this script runs, the user will need to change their password
    >> the
    >> next time they logon. The tricky part is determining the Distinguished

    > Name
    >> of the user.
    >>
    >> --
    >> Richard Mueller
    >> Microsoft MVP Scripting and ADSI
    >> Hilltop Lab - http://www.rlmueller.net
    >> --
    >>
    >> "Diane Walker" <ett9300@yahoo.com> wrote in message
    >> news:ezjeoiweIHA.5160@TK2MSFTNGP05.phx.gbl...
    >> > Thanks for your prompt response.
    >> >
    >> > Do you have any recommendation how I can go about creating a custom
    >> > script?
    >> >
    >> > "Marcin" <marcin@community.nospam> wrote in message
    >> > news:5BFE0FAA-1E4F-4505-979F-38F079EF6869@microsoft.com...
    >> >> Diane,
    >> >> maximum password age affecting domain user accounts is a domain-level
    >> >> setting - unless you are running Windows Server 2008 functional level
    >> >> domain...
    >> >> You can use a workaround by creating a custom script that will force

    > the
    >> >> designated user to change the password at the next logon and schedule

    > it
    >> >> to run on the target date...
    >> >>
    >> >> hth
    >> >> Marcin
    >> >
    >> >

    >>
    >>
    >>

    >
    >




  9. #9
    DevilsPGD Guest

    Re: Password Expiration

    In message <dl6ss3dsr71hpnm6b5kscvsagn498j9car@4ax.com> DevilsPGD
    <spam_narf_spam@crazyhat.net> wrote:

    >Again, I haven't tested this, someone smarter then myself might know if
    >this works in the real world or not.


    Ahh, I guess not... Joe's post gives a suggestion though :)

Similar Threads

  1. Disabling password expiration
    By ghu in forum Active Directory
    Replies: 8
    Last Post: 20-09-2010, 03:04 PM
  2. Stop Password Expiration in windows XP
    By Marlon in forum Tips & Tweaks
    Replies: 2
    Last Post: 04-11-2008, 10:47 AM
  3. Password expiration
    By carmelo in forum Windows Server Help
    Replies: 2
    Last Post: 26-04-2008, 09:43 PM
  4. 14 days password expiration notification
    By purvagarg in forum Active Directory
    Replies: 2
    Last Post: 03-03-2008, 11:32 AM
  5. Net user add & password expiration
    By Guilhem in forum Windows Server Help
    Replies: 4
    Last Post: 04-05-2006, 12:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •