Erick,
Joe makes a good point -- password expiration policy is global.
However, you can avoid the rush of everyone's passwords expiring at once
with the following process:
1) enable global password expiration, but set the interval really long.
2) run a batch file nightly to expire a small group of users. This
"primes the pump" by getting users to have unique expiration
schedules.
3) when you've got everyone to change their password once, shorten the
global policy.
I don't think we've run into any Win2K shops that had this problem, but we
(vendor: M-Tech, product: P-Synch) have worked with some customers to do a
gradual activation of reasonable expiration interval on WinNT domains using
this process.
Good luck!
-- Idan
On Wed, 13 Aug 2003, Joe wrote:
> You can not set password expiration for a group of users. Password
> expiration is a global domain policy. Now if you are looking to simply
> unexpire a group of users you could write (or most likely at this point)
> find a script that will take a CSV file and either reset the passwords
> of those users thereby making them active or you can force them expired
> then clear the expired flag which would make them "hot" again under
> their old password with a password age of 0 days. You can do that by
> forcing a 0 into pwdLastSet and then turning around and then forcing a
> -1 into pwdLastset. So say your password policy was set to expire in 91
> days and then you have an account with a password of 200 days and you
> want to reenable that ID WITHOUT having to change the password you would
> use a script like this:
>
> set o=getobject("LDAP://cn=joe,cn=users,dc=domain,dc=com";)
> o.pwdlastset=0
> o.setinfo
> o.pwdlastset=-1
> o.setinfo
>
>
> That would force the "must change password" flag of the account which
> would then allow you to clear that same flag and you now have a password
> with a password age of 0 days and fully ready to go.
>
>
> joe
>
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Erick Christian
> Sent: Wednesday, August 13, 2003 1:17 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] Settign password Expiration date
>
>
>
> We are rolling our W2k network out, and have successfully migrated from
> NT4.0. Previously we had sat our user account's password to expire at
> the end of the year. However, going through and enabling each individual
> account is not an option, as of yet I have not found a way in AD to set
> the PW expiration date for an entire group. If anyone could shed light
> on this topic I would greatly appreciate it.
>
>
> Erick Christian
> Chesapeake Board of Education
>
>
>
>
>
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
