RE: [ActiveDir] does password expired toggle "user must change pa ssword at next logon"?

Wed, 08 Oct 2003 12:33:14 -0700

Title: [ActiveDir] does password expired toggle "user must change password at next logon"?
sounds like you're not a friend of password migrations...  something I can recommend and it works quite nicely with the Password Export Server DLL from ADMT v2.0 (also used by most of the other migration tool vendors, which offer many other useful features over ADMT...)
 
you wouldn't have the issue of needing to know who has used their account or not simply by leaving them disabled, until you want them to use the AD account...  This is the approach we're taking in most migrations and it's been rather rewarding, as it is very controlled.  Mind you, you have to do a lot of tracking and tracing to ensure profile updates were successful prior to enabling the account.
 
/Guido

From: Rimmerman, Russ [mailto:[EMAIL PROTECTED]
Sent: Dienstag, 7. Oktober 2003 04:41
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] does password expired toggle "user must change pa ssword at next logon"?

I'm looking for pwdlastset that is not equal to 0, and if it's not 0, I reset their password.  This was because we are in the middle of a looooong AD migration and I've been using ADMT for the last 6 months to migrate users regularly from our NT4 domain since we're still adding users to our NT4 side.  ADMT has been creating the users with complex passwords so no one knows what their password is, so I checked to see if they had logged on and reset their password, and if not, set it to something I can tell them.
-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Monday, October 06, 2003 9:33 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] does password expired toggle "user must change pa ssword at next logon"?

Michael: I can confirm Vladmir's statement that no, a normally expired ID will not light the "user must change password at next logon" checkbox.
 
Russ: Are you searching for ID's with a zero in the attribute or enumerating accounts? A search would be the fastest method. A simple ldap query to find all accounts with that checkbox set would be
 
&(objectcategory=person)(samaccountname=*)(pwdlastset=0)
 
So with adfind it would look something like
 
adfind -b dc=domain,dc=com -f "&(objectcategory=person)(samaccountname=*)(pwdlastset=0)" -dn
 
 
I don't understand why you would reset the people's passwords who have that flag set, what is the purpose?
 
 
  joe


From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ
Sent: Monday, October 06, 2003 8:32 PM
To: '[EMAIL PROTECTED]'

I wrote a winbatch script I wrote that gets the status of this checkbox if anyone's interested in it.  It finds all users with this checkbox checked and resets their passwords.
-----Original Message-----
From: Turin, Vladimir [mailto:[EMAIL PROTECTED]
Sent: Monday, October 06, 2003 7:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] does password expired toggle "user must change password at next logon"?

 
  You sort of right. It used to in NT4.0, but not in Windows 2000/3 whatever SP.
Microsoft silently changed meaning of the checkbox from "User must change password at next logon" to "Administrator has forced the user to change password at next logon", but has forgotten to change the name. Meaning the checkbox is now set when and only when administrator had set it. 
  If the password expired on it's own, checkbox isn't set anymore.
 
  I'm sure you can find some help here how to "write the simplest script on the earth" to get real password expired status. (or take a look at the thread "Password Policy - Challenge....", which is really cool and has the script)
 
  Vladimir

From: [EMAIL PROTECTED] on behalf of Thommes, Michael M.
Sent: Tue 10/7/2003 1:49 AM
To: Active Directory Mailing List (E-mail)
Subject: [ActiveDir] does password expired toggle "user must change password at next logon"?

Hi All:
    I don't recall ever getting any response from the message below that I sent out about a month ago.  Hopefully, there's no harm in trying again.  Thanks!

Mike Thommes


Hi,
    When a user's password expires, does it automatically toggle the setting for the account "User must change password at next logon"?  It seems to me it used to do this, but that is not what we are seeing now.  Our DCs are at W2K/SP3 plus post SP3 patches.  Would there be any connection between this observation and the setting "User must logon to change password"?  Thanks for any information!

Mike Thommes
Argonne National Laboratory
List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This e-mail is confidential, may contain proprietary information
of the Cooper Cameron Corporation and its operating Divisions
and may be confidential or privileged.

This e-mail should be read, copied, disseminated and/or used only
by the addressee. If you have received this message in error please
delete it, together with any attachments, from your system.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reply via email to