Thanks to correct to me, joe.
Peter, I work in a ISP and sometimes important
clients request stupidities. Not even
I know why the client needs it thus.
Thanks to all
and sorry with my english.
**************************************************************************************************-----Mensaje original-----
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]En nombre de joe
Enviado el: miércoles, 03 de agosto de 2005 15:22
Para: [email protected]
Asunto: RE: [ActiveDir] Set UserAccountControlThere are a couple of issues here1. As was previously pointed out, these settings are mutually exclusive. An account that is marked as "user must change password at next logon" is, in reality, marked in the background as having an expired password.2. You can't read nor set the user must change password in userAccountControl when using LDAP, now this is controlled by pwdLastSet. A value of zero means that the account is currently in need of having a password set on it or immediately expired. Any other value tells you when the password was last set.3. In your remark, you are backwards on the which flags are which plus one is actually wrong. Password never expires is ADS_UF_DONT_EXPIRE_PASSWD which is 0x10000 or 65536. 0x80000 (524288) is ADS_UF_TRUSTED_FOR_DELEGATION which is quite different. I believe you might have been shooting for 0x800000 (8388608) for ADS_UF_PASSWORD_EXPIRED, but again, in AD and using LDAP this flag is not used.To further expand on #1 and #2 above. Think about it in terms of code flow. In Windows, the ADS_UF_DONT_EXPIRE_PASSWD flag is set to tell the OS that a password on a given account never has to be changed because it never expires. A value of zero in pwdLastSet is the hard mechanism of saying an account is expired. A value in pwdLastSet that is equal to the date it was the password expiration policy days ago is the soft mechanism for saying an account is expired. When the OS looks at an account for expiration, the first thing it will do is look at the flag to see if an account CAN be expired. If the account is flagged with ADS_UF_DONT_EXPIRE_PASSWD there is no point in even looking at pwdLastSet because its value means nothing to the OS.The preference, of course, is to not have non-expiring userids at all. Why of course? Because people tend not to change them of course. If you don't think that having passwords changed on a regular basis gives you additional security, turn it off for your entire domain and forest, don't do it for one off accounts. The thing is, most people believe that changing passwords on a regular basis gives them addditional security by making it harder to guess over the long term or cuts off people who found out the old password and no longer have it now that it has changed. So you have this belief that changing passwords makes you more secure yet you want to take some IDs, usually critical admin or application IDs, and make them more insecure. The argument here that often comes up is that you don't want to avoid changing passwords... of course not, that would be silly, you actually just want to have better control of changing passwords and not be forced to unless you are ready to.... My answer to that... be ready sooner than the normal policy. Policy says you need to change it every 90 days and you will be forced at that point, change it when you hit 60 days or 80 days or better yet, since this ID is so important, every 30 days. See http://blog.joeware.net/2005/05/08/10/ for a little more on this topic.Since I wrote that blog entry it was suggested to me once that setting a password expiration policy doesn't increase security and as never proven to be so and is in fact simply a common misconception pushed forward by various security groups and the industry as a whole but never really looked at serious.Instead of a password expiration policy, it was said that you should have a sufficient length and complexity policy to block brute force / guessing techniques. I don't happen to agree with that argument but I can see where the viewpoint is coming from and how setting an expiration policy too low it can cause insecure reactions from users such as using a password template for their passwords (password will be SomeGoodPassword1 then SomeGoodPassword2, or Winter2005, Spring2006, Summer2006, etc).joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fernandez Rego, Ramon
Sent: Wednesday, August 03, 2005 8:22 AM
To: [email protected]
Subject: [ActiveDir] Set UserAccountControlHi,
Is there any possibility of setting both properties?
"Password never expires" and "User must change password at next logon"
I tried with this script, but i can't:
------------------------------
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
m=0strOU = "cn=test,ou=usuarios,ou=XXXXXXX"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties ("Size Limit")= 1001
objCommand.Properties ("Cache Results")= False
objCommand.Properties("Page Size") = 1001
objCommand.CommandText = _
"<LDAP://"& strOU &",dc=asp,dc=mundo-r,dc=com>;(objectCategory=user)" & _
";distinguishedName,name,mail,ADsPath;subtree"
Set objRecordSet = objCommand.ExecuteWhile Not objRecordSet.EOF
strADsPath = objRecordset.Fields("ADsPath")
Set objUser = GetObject(strADsPath)
objUser.Put "UserAccountControl" , "524288" ' 0x80000 + 0x10200 = pass never exp + user must change
objUser.SetInfo
wscript.echo strADsPath & ";" & objUser.UserAccountControl
m=m+1
objRecordSet.MoveNext
WendobjConnection.Close
wscript.echo "Numero objetos afectados: " &m
------------------------------------------------------------------------------
Thanks,
Moncho
**************************************************************************************************
Este mensaje se dirige exclusivamente a su destinatario. Puede contener
información privilegiada, confidencial o legalmente protegida.
Si ha recibido este mensaje por error le rogamos que lo borre inmediatamente, así como todas sus copias, y lo comunique al remitente.
En virtud de la legislación vigente está prohibida la utilización, divulgación, copia o impresión sin autorización.
No existe renuncia a la confidencialidad o privilegio por causa de una transmisión errónea.
**************************************************************************************************
Este mensaje se dirige exclusivamente a su destinatario. Puede contener
información privilegiada, confidencial o legalmente protegida.
Si ha recibido este mensaje por error le rogamos que lo borre inmediatamente, así como todas sus copias, y lo comunique al remitente.
En virtud de la legislación vigente está prohibida la utilización, divulgación, copia o impresión sin autorización.
No existe renuncia a la confidencialidad o privilegio por causa de una transmisión errónea.
**************************************************************************************************
