This script will give you a list of people whose password is more than
120 days old - instead of just printing the name you can reset the
password, disable the account etc.
Steve
Set objRootDSE=GetObject("LDAP://RootDSE";)
strRoot=objRootDSE.Get("rootDomainNamingContext")
Set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Open "Active Directory Provider"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConn
objCommand.properties("Page Size")=1000
objcommand.CommandText = "<LDAP://"; & strRoot &
">;(&(objectCategory=person)(sn=*));sAMAccountName,adsPath;subTree"
Set objRecordSet = objCommand.Execute
Do While Not objRecordSet.EOF
strUsername=objRecordSet("sAMAccountName")
Set usr=getobject(objRecordSet("adspath"))
pwdlastchanged=datediff("d",datevalue(Usr.PasswordLastChanged),now)
If pwdlastchanged > 120 Then
wscript.echo strUserName & vbtab & usr.passwordlastchanged & vbtab &
pwdlastchanged
end if
objRecordSet.MoveNext
Loop
-----Original Message-----
From: Barber, Thomas [mailto:[EMAIL PROTECTED]]
Sent: 03 December 2002 14:04
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] GPO for entire domain
OK, so if that's the case, is there a way I can tell the age of a
password for a particular account? That way I could write a script that
would look through all user accounts and force a change password prompt
at next logon.
-Tom Barber
Systems Manager
-----Original Message-----
From: Salandra, Justin A. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 8:50 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] GPO for entire domain
A user will be able to keep those passwords they have had for years
unless you prompt them to change their passwords at next logon. Until
those old passwords are changed they will not be governed by the policy.
-----Original Message-----
From: Barber, Thomas [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 03, 2002 8:36 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] GPO for entire domain
First, a bit of background.
After much explanation and politics, we have finally decided to
institute some password policies for the campus. Our machines currently
reside in a single, native mode Active Directory domain.
I have created a domain-level password policy with the following items
set:
Enforce Password history: 3 passwords remembered
Max Password age: 182 days
Min Password age: 1 days
Min password length: 4 characters
(I know these are poor security settings, but it's a start.)
The other two settings are undefined.
After setting this up, I now have four domain policies.
I am not seeing the "general chaos" I thought I would when the policy
went into effect.
Questions:
In what order are the four domain policies applied? The password policy
is the second policy in my list, with no other policies defining those
password settings.
Is there something else I need to do to "kick start" the policy?
There are plenty of users with passwords they have had for years. Does
a password policy start the clock "ticking" when the policy is first
implemented? Will these users be allowed to keep their current policy
for another 182 days before requiring them to change it?
Is there any way to check to see if the policy is working? Also, is
there any way to the password age of an account?
-Tom Barber
Systems Manager
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
