force user to change password on next logon

[Chad Gross]

I am running Windows Server 2003 AD with single Domain. Due to reasons I need to force all my users to change their passwords on next logon in single OU. For doing the same I created a Script and tested it on OU at the top of the hierarchy and it works fine. But when I tried the same script with nested OU, it wont work. I don’t know what could be the reason.

Here is how my script looks:

' PwdLastSet .vbs
' VBScript to force a user to change password at next logon
' --------------------------------------------------------------'

Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'

strContainer = "OU=XXXX Rica,OU=XXXX, "
strContainer = strContainer & strDNSDomain

intCounter = 0

' Here we force a change of password at next logon
intPwdValue = 0

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit

' End of Sample PwdLastSet VBScript

Somebody please help.

[shivinder]

I think you should use a recursive subroutine to handle nested OU's. It should be something like this:

============
Option Explicit
Dim strOU, objOU, intCounter

' Specify the parent (top level) OU.
strOU = "ou=West,dc=MyDomain,dc=com"

' Bind to the parent OU.
Set objOU = GetObject("LDAP://" & strParent)

' Variable intCounter has global scope.
intCounter = 0
Call EnumOU(objOU)

Wscript.Echo "Accounts changed: " & CStr(intCounter)

Sub EnumOU(ByVal objParent)
' Recursive subroutine to process all users in an OU
' and all sub OU's.

Dim objUser, objChild

' Enumerate all users in the OU.
objParent.Filter = Array("user")
For Each objUser In objParent
' Skip computer objects.
If (objUser.Class = "user") Then
objUser.Put "pwdLastSet", 0
objUser.SetInfo
intCounter = intCounter + 1
End If
Next

' Enumerate all child OU's.
objParent.Filter = Array("organizationalUnit")
For Each objChild In objParent
Call EnumOU(objChild)
Next
End Sub

[Chad Gross]

Thank you very much for your help friend. I got Logic of Recursive call and it is working after defining few unspecified dims. Help appreciated.

[sgilmour]

Hi,
Three questions about this script.
1. From the Active directory User account will this script check the checkbox for a specific User to force the user to check the checkbox User must change password on next login in windows 2008 Server R2?
2. How can I setup the script so I can force it to check the checkbox every 15 or 20 seconds? May not be needed if step 3 works
3. If I am running a tclsh script from my Ubuntu PC is there a way I can somehow add code so it will run this script from my server?

[EINSTEIN_007]

Hi,
Three questions about this script.
1. From the Active directory User account will this script check the checkbox for a specific User to force the user to check the checkbox User must change password on next login in windows 2008 Server R2?
2. How can I setup the script so I can force it to check the checkbox every 15 or 20 seconds? May not be needed if step 3 works
3. If I am running a tclsh script from my Ubuntu PC is there a way I can somehow add code so it will run this script from my server?

You can try to consider using this script if you have a large number of users.

"Configuring a Password Change at Next Logon Requirement"
http://technet.microsoft.com/hi-in/l...97(en-us).aspx

[sgilmour]

Thanks for the reply I will try to edit it to use for one specific user.