Also the WS2k3 ADUC mentioned by Diane allows you to
use the multi-select feature to select all accounts in the query and change that
Flag.
To query the useraccounts you can use DSQuery (just one
line):
dsquery * domainroot -scope subtree -filter
"(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
you can Pipe the OutPut to the following
command
dsmod user -pwdneverexpires no
Or you use the following VBS:
'==========================================================================
' NAME: RemovePwdNeverExpires.vbs
' AUTHOR: Ulf B. Simon-Weidner
' DATE : 02.04.2004
' COMMENT: Run with CScript to better monitor the output, use
' bolDebug=True to disable writing to AD
'==========================================================================
' NAME: RemovePwdNeverExpires.vbs
' AUTHOR: Ulf B. Simon-Weidner
' DATE : 02.04.2004
' COMMENT: Run with CScript to better monitor the output, use
' bolDebug=True to disable writing to AD
'==========================================================================
bolDebug = True 'Change that to False to write
changes
strDomainDN = "dc=nwtraders,dc=msft"
intFlagToReset = 65536 ' DONT_EXPIRE_PASSWORD
' in decimal, for other Flags see
' http://support.microsoft.com/?id=305144
strDomainDN = "dc=nwtraders,dc=msft"
intFlagToReset = 65536 ' DONT_EXPIRE_PASSWORD
' in decimal, for other Flags see
' http://support.microsoft.com/?id=305144
Set objCon =
CreateObject("ADODB.Connection")
objCon.Open "Provider=ADsDSOObject;"
objCon.Open "Provider=ADsDSOObject;"
Set objCmd =
CreateObject("ADODB.Command")
objCmd.ActiveConnection = objCon
objCmd.ActiveConnection = objCon
strFlagToReset = CStr(intFlagToReset)
objCmd.CommandText = _
"<LDAP://" & strDomainDN & ">;" & _
"(&(objectCategory=Person)(objectClass=User)" & _
"(userAccountControl:1.2.840.113556.1.4.803:=" & _
strFlagToReset & "));" & _
"distinguishedname,userAccountControl;subtree"
Set objRS = objCmd.Execute
objCmd.CommandText = _
"<LDAP://" & strDomainDN & ">;" & _
"(&(objectCategory=Person)(objectClass=User)" & _
"(userAccountControl:1.2.840.113556.1.4.803:=" & _
strFlagToReset & "));" & _
"distinguishedname,userAccountControl;subtree"
Set objRS = objCmd.Execute
While Not objRS.EOF
userdn = objRS.Fields(0).Value
If InStr(userdn,"$")=0 Then
newAcctCtrl = objRS.Fields(1).Value - intFlagToReset
WScript.Echo "User found: " & _
objRS.Fields(1).Value & " - new Value of UserAccountControl will be " & _
newAcctCtrl & " : " & userdn
If bolDebug = False Then
Set objUser = GetObject("LDAP://" & objRS.Fields(0).Value)
objUser.Put "userAccountControl", newAcctCtrl
objUser.SetInfo
Set objUser = Nothing
End If
End If
objRS.MoveNext
Wend
userdn = objRS.Fields(0).Value
If InStr(userdn,"$")=0 Then
newAcctCtrl = objRS.Fields(1).Value - intFlagToReset
WScript.Echo "User found: " & _
objRS.Fields(1).Value & " - new Value of UserAccountControl will be " & _
newAcctCtrl & " : " & userdn
If bolDebug = False Then
Set objUser = GetObject("LDAP://" & objRS.Fields(0).Value)
objUser.Put "userAccountControl", newAcctCtrl
objUser.SetInfo
Set objUser = Nothing
End If
End If
objRS.MoveNext
Wend
Set objRS = nothing
Set objCmd = nothing
Set objCon = Nothing
Set objCmd = nothing
Set objCon = Nothing
' END OF SCRIPT
I hope this helps you.
Ulf B. Simon-Weidner
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ayers, Diane
Sent: Freitag, 2. April 2004 17:40
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password Never Expires...
Also, just as an FYI, If you're on XP, you can use the
Win2K3version ADUC which allows you to build a query in the GUI itself for all
accounts that are configured as you described. It will work aganst both
Win2K and Win2K3 domains.
Diane
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]On Behalf Of Rod Trent
Sent: Friday, April 02, 2004 4:48 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Password Never Expires...Here's a script to find those accounts and throw them into a spreadsheet:
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Frank Abagnale
Sent: Friday, April 02, 2004 7:46 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Password Never Expires...Hi,One of our helpdesk technicians has been creating new user accounts with the 'Password Never Expires' tab selected.does anyone know a way of how I can find out which accounts are set to 'Password Not Expire' and if there is an automated way to reset these?thanks...-frank
Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter today