Alex, does setting 'pwdLastSet' => 0 not work for you? You can't set
the value to anything else but you should be able to set it to zero
which will force the expiration.
$ldap->modify($dn, replace => { 'pwdLastSet' => 0 });
Don
-----Original Message-----
From: A. Farber [mailto:[EMAIL PROTECTED]
Sent: Friday, July 11, 2008 5:02 AM
To: [email protected]
Subject: Force the new AD user to change password - pwdLastSet
Hello,
does anybody please know how set the checkbox
"User must change password at next logon" for
a new user in Active directory?
In VBScript it is done by: obj.Put "pwdLastSet", 0
but I can't find the Net::LDAP counterpart for that (and
I can't use Win32::OLE because my script runs on Linux)
After reading http://support.microsoft.com/kb/305144
I've tried setting 0x800000 bit in userAccountControl -
but it doesn't work (the user is created fine though):
use constant NORMAL_ACCOUNT => 0x200;
use constant PASSWORD_EXPIRED => 0x800000;
$result = $ldap->add($dn,
attr => [
objectClass => 'user',
#objectClass => [qw(top person organizationalPerson
user)],
sAMAccountName => $uid,
userPrincipalName => $uid . '@' . DOMAIN,
givenName => $first,
sn => $last,
displayName => $fullname,
description => $fullname,
mail => $mail,
l => $city,
physicalDeliveryOfficeName => $city,
company => $company,
]
);
$result->code && die 'Failed to add entry: ', $result->error;
$charmap = Unicode::Map8->new('latin1') or die $!;
$unipwd = $charmap->tou('"' . $password . '"')->byteswap()->utf16();
$result = $ldap->modify($dn, add => { unicodePwd => $unipwd } );
$result->code && die 'Failed to modify entry: ', $result->error;
$result = $ldap->modify($dn, replace => { userAccountControl =>
NORMAL_ACCOUNT | PASSWORD_EXPIRED } );
$result->code && die 'Failed to modify entry: ', $result->error;
Any hints please?
Alex
PS: I'm so happy I can work with Perl after I've finally
enabled LDAP/SSL in our domain controllers...
