Re: Force the new AD user to change password - pwdLastSet

Sat, 12 Jul 2008 05:45:51 -0700 

Alexander,
Account disabled means that the useraccountcontrol is increased by 2 (decimal) and account disabled = false means you add 0 to the useraccountcontrol, See http://support.microsoft.com/kb/305144 

Markus


"Alexander Farber" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]

Hi Don,

On Fri, Jul 11, 2008 at 5:33 PM, Miller, Don C. <[EMAIL PROTECTED]> wrote:

Alex, does setting 'pwdLastSet' => 0 not work for you?  You can't set
the value to anything else but you should be able to set it to zero
which will force the expiration.

$ldap->modify($dn, replace => { 'pwdLastSet' => 0 });



thank you, it works. Below is my complete code for the archive.

I haven't found, how to mimic VBScript's AccountDisabled=FALSE
in Perl, but the user creation seems to work ok without it too.

Greetings from Germany
Alex

#!/usr/bin/perl -w

use strict;
use Net::LDAPS;
use Net::LDAP qw(LDAP_SUCCESS LDAP_ALREADY_EXISTS);
use Unicode::Map8;
use Unicode::String qw(utf16);

use constant ROOTDN => 'OU=ImportedExt,OU=User
Accounts,DC=internal,DC=XXX,DC=com';
use constant DOMAIN => 'internal.XXX.com';
use constant SERVER => ['ablwdc01.' . DOMAIN, 'ablwdc02.' . DOMAIN];
use constant ADMIN  => 'XXXXXXX';
use constant ADMPW  => 'XXXXXX';
use constant NORMAL_ACCOUNT => 0x200;

my ($ldap, $result, $charmap, $unipwd);

my ($uid, $first, $last, $mail, $city, $company, $password, $fullname, 
$dn)

  = qw(perl_test perl test [EMAIL PROTECTED] Bochum XXX xxxxxxx123);

$ldap = Net::LDAPS->new(SERVER) or
  die('Could not connect to LDAP server ' . SERVER);
$ldap->bind(ADMIN . '@' . DOMAIN, password => ADMPW) or
  die('Could not bind to LDAP server ' . SERVER . ' as ' . ADMIN);

$fullname = "$first $last";
$dn = "cn=$uid," . ROOTDN;
$charmap = Unicode::Map8->new('latin1') or die $!;
$unipwd = $charmap->tou(qq{"$password"})->byteswap()->utf16();

$result = $ldap->add($dn,
  attr => [
      objectClass    => 'user',
      sAMAccountName    => $uid,
      userPrincipalName => $uid . '@' . DOMAIN,
      givenName    => $first,
      sn        => $last,
      displayName    => $fullname,
      description    => $fullname,
      mail        => $mail,
      l        => $city,
      physicalDeliveryOfficeName => $city,
      company        => $company,
      unicodePwd    => $unipwd,
  ]
);
if (LDAP_SUCCESS != $result->code) {
  warn "User $uid already exists!\n"
      if (LDAP_ALREADY_EXISTS == $result->code);
  die 'Failed to add user: ', $result->error;
}

$result = $ldap->modify($dn, replace => { pwdLastSet => 0 } );
$result->code && die 'Failed to modify user: ', $result->error;

$result = $ldap->modify($dn,
  replace => { userAccountControl => NORMAL_ACCOUNT } );
$result->code && die 'Failed to enable user: ', $result->error;

$ldap->unbind;


























					Reply via email to