We got this issue resolved late last night. The simplest solution for us, was to enable a trust relationship with the NT4.0 domain. Then we simply made the necessary changes via NT4.0. It worked suprisingly well. Thanks for all of the information everyone. This issue can now be closed.
Erick Christian Chesapeake Board of Education -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, August 14, 2003 11:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Settign password Expiration date Erick, Joe makes a good point -- password expiration policy is global. However, you can avoid the rush of everyone's passwords expiring at once with the following process: 1) enable global password expiration, but set the interval really long. 2) run a batch file nightly to expire a small group of users. This "primes the pump" by getting users to have unique expiration schedules. 3) when you've got everyone to change their password once, shorten the global policy. I don't think we've run into any Win2K shops that had this problem, but we (vendor: M-Tech, product: P-Synch) have worked with some customers to do a gradual activation of reasonable expiration interval on WinNT domains using this process. Good luck! -- Idan On Wed, 13 Aug 2003, Joe wrote: > You can not set password expiration for a group of users. Password > expiration is a global domain policy. Now if you are looking to simply > unexpire a group of users you could write (or most likely at this > point) find a script that will take a CSV file and either reset the > passwords of those users thereby making them active or you can force > them expired then clear the expired flag which would make them "hot" > again under their old password with a password age of 0 days. You can > do that by forcing a 0 into pwdLastSet and then turning around and > then forcing a -1 into pwdLastset. So say your password policy was set > to expire in 91 days and then you have an account with a password of > 200 days and you want to reenable that ID WITHOUT having to change the > password you would use a script like this: > > set o=getobject("LDAP://cn=joe,cn=users,dc=domain,dc=com";) > o.pwdlastset=0 > o.setinfo > o.pwdlastset=-1 > o.setinfo > > > That would force the "must change password" flag of the account which > would then allow you to clear that same flag and you now have a > password with a password age of 0 days and fully ready to go. > > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Erick > Christian > Sent: Wednesday, August 13, 2003 1:17 PM > To: [EMAIL PROTECTED] > Subject: [ActiveDir] Settign password Expiration date > > > > We are rolling our W2k network out, and have successfully migrated > from NT4.0. Previously we had sat our user account's password to > expire at the end of the year. However, going through and enabling > each individual account is not an option, as of yet I have not found a > way in AD to set the PW expiration date for an entire group. If anyone > could shed light on this topic I would greatly appreciate it. > > > Erick Christian > Chesapeake Board of Education > > > > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
