Title: Message
You can not set password expiration for a group of users. Password expiration is a global domain policy. Now if you are looking to simply unexpire a group of users you could write (or most likely at this point) find a script that will take a CSV file and either reset the passwords of those users thereby making them active or you can force them expired then clear the expired flag which would make them "hot" again under their old password with a password age of 0 days. You can do that by forcing a 0 into pwdLastSet and then turning around and then forcing a -1 into pwdLastset. So say your password policy was set to expire in 91 days and then you have an account with a password of 200 days and you want to reenable that ID WITHOUT having to change the password you would use a script like this:
 
set o=getobject("LDAP://cn=joe,cn=users,dc=domain,dc=com")
o.pwdlastset=0
o.setinfo
o.pwdlastset=-1
o.setinfo
 
That would force the "must change password" flag of the account which would then allow you to clear that same flag and you now have a password with a password age of 0 days and fully ready to go.
 
 
   joe
 
 
 
 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Erick Christian
Sent: Wednesday, August 13, 2003 1:17 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Settign password Expiration date

We are rolling our W2k network out, and have successfully migrated from NT4.0. Previously we had sat our user account's password to expire at the end of the year. However, going through and enabling each individual account is not an option, as of yet I have not found a way in AD to set the PW expiration date for an entire group. If anyone could shed light on this topic I would greatly appreciate it.
 

Erick Christian
Chesapeake Board of Education

 

Reply via email to