Force users to change password at next logon 1

[gmagerr]

I have a script that is supposed to force the user to change their password at the next logon. Unfortunately is isn't working. Here's what i have.

' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas [URL unfurl="true"]http://computerperformance.co.uk/[/URL]
' Version 1.1 - May 2005
' --------------------------------------------------------------' 
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE") 
strDNSDomain = objRootDSE.Get("DefaultNamingContext") 

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "OU=Password_Test_OU, "
strContainer = strContainer & strDNSDomain
intCounter = 0
' Here we force a change of password at next logon
intPwdValue = 0

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
   If objUser.class="user" Then
   	  objUser.SetPassword "password"
      objUser.Put "PwdLastSet",intPwdValue
      objUser.SetInfo
   End If
intCounter = intCounter +1
Next 

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit 

' End of Sample PwdLastSet VBScript

In the user account in AD, under the Account tab. The User cannot change password, and password never expires boxes are checked. When i manually uncheck those the script works.
Is there a way to uncheck those two boxes with this script? thanks.

 

[markdmac]

Yes, here is sample code to SET the password to never expire.

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objUser = GetObject _
    ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")

If ADS_UF_DONT_EXPIRE_PASSWD AND intUAC Then
    Wscript.echo "Already enabled"
Else
    objUser.Put "userAccountControl", intUAC XOR _
    ADS_UF_DONT_EXPIRE_PASSWD
    objUser.SetInfo
    WScript.echo "Password never expires is now enabled"
End If

Set the value to zero instead of &h10000 to force the password to be able to expire.

For the user cannot change password here is some sample code.

Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const USER_CHANGE_PASSWORD_RIGHTSGUID = _
   "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

Set oUser = _
   GetObject("LDAP://cn=todd,ou=na,dc=microsoft,dc=com")
Set oSD = oUser.Get("nTSecurityDescriptor")
Set oDacl = oSD.DiscretionaryAcl

For Each ace In oDacl
      If (LCase(ace.Trustee) = strTrustee) Then
         If ((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) _
            And (LCase(ace.ObjectType) = _
            USER_CHANGE_PASSWORD_RIGHTSGUID)) Then
               oDacl.RemoveAce ace
         End If
      End If
Next

oSD.DiscretionaryAcl = oDacl
oUser.Put "nTSecurityDescriptor", Array(oSD)
oUser.SetInfo

I hope you find this post helpful.

Regards,

Mark

 

[gmagerr]

Wow
Mark once again you are THE MAN!