Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

password change enforcement needed -- help

Status
Not open for further replies.
Rosee

Rosee

IS-IT--Management
Dec 12, 2001
187
US
I have setting in place which should enforce our computer users to change pawwsord on certain day. On our main domin, the settings are:

* domain security policy -> account policy -> password policy -> Maxcimum password age -> 21 days
* domain security policy -> local policies -> prompt user to change password before expiration -> 5 days

The reason I have 21 days is that I would like everyone to get the password changed on 06/01/05 (the setting was done on 05/011/05). I was expecting to see the warning message asking to change password starting 05/27/05 (5 days before June 1). But I haven't get it so far.

Tomorrow is 06/01/05, what do I need to do in order to get everyone's password changed by tomorrow? any suggestions??? Help!!!!
 
Sort by date Sort by votes
Force the users to change password at next logon until you can figure out what went wrong on your policies.

Nick
 
Upvote 0 Downvote
Thanks, Nick.

Do I have to set up this for every user account?
Is there an easy way that I can force users to change password at next logon? Let's say, one setting works for all.
 
Upvote 0 Downvote
It depends on how you have set up your AD Structure.

Do you understand how OU's and GPO's work?

You can do it on a User Level or you can get tricky with adding all the users to an OU and then appling a GPO to that OU with a Min Password age of 1 day and Maximum Password age of 1 day.

This way tomorrow when they try to log in it will force them to change their passwords.

I do not recomend making any changes to the domain security policy only b/c its gets confusing down the line when you start creating GPO's.

I would recomend creating OU's and adding the users to the OU's and then creating Group Policy Objects (GPO's) to do all of your security settings such password age and so forth.

You just need to make sure the each client is using the your Active Directory Integreated DNS Server (ADI-DNS)as its primary DNS server.
 
Upvote 0 Downvote
I think you will find the only place that you can set password policy is in the Default Domain Policy. You can set it at the OU level but it will be ineffective.
 
Upvote 0 Downvote
Thanks all.

From start -> programs -> administrative tools ->, I saw one is called "domain security policy" and another one is called "domain controller security policy". Any difference between those two?

Do I need to define settings under domain controller security policy, as the same settings under domain security policy, Maximum password age, Minimum password age, and Minimum password length? At this point, there is no settings on domain controller security policy regarding password changes.
 
Upvote 0 Downvote
You make the changes in the Domain Security Policy...the other one is there so you can lock your DC's down tight.

I'm Certifiable, not certified.
It just means my answers are from experience, not a book.
 
Upvote 0 Downvote
Create a schedule to pop script the night before to reset all users passwords. All you need to do is change: <GC://ou=myou,dc=mydomain,dc=com> to reflect the domain or ou you want to reset.

Code: 
Dim objUser, objCommand, objConnection, objRecordset
Dim strUser

' Create connection object
Set objConnection = CreateObject("ADODB.Connection")

' Open connection
objConnection.Open "Provider=ADsDSOObject;"

' Create command object
Set objCommand = CreateObject("ADODB.Command")

' Establish active connection
objCommand.ActiveConnection = objConnection

' Connect to domain
objCommand.CommandText = _
    "<GC://ou=myou,dc=mydomain,dc=com>;(objectCategory=User)" & _
        ";distinguishedName;subtree" 

' Populate recordset object 
Set objRecordSet = objCommand.Execute

' Enumerate users and require users to change password
Do Until objRecordset.EOF
    strUser = objRecordset.Fields("distinguishedName")
    Set objUser = GetObject("LDAP://" & strUser)
    objUser.Put "pwdLastSet", 0
    objUser.SetInfo
    objRecordset.MoveNext
Loop

' Close ADO objects 
objRecordset.Close 
objConnection.Close

' Release resources
Set objUser = Nothing
Set objRecordset = Nothing
Set objConnection = Nothing
Set objCommand = Nothing

Paul

Work on Windows, play on Linux.
 
Upvote 0 Downvote
Sorry, not to reset but to force a password change.

Paul

Work on Windows, play on Linux.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Abdullah Al Maruf
  • Locked
  • Question
Telnet help for
Replies
2
Views
800
gbaughma
gbaughma
Mohamed-IT
  • Locked
  • Question
Windows server 2019 password locked
Replies
1
Views
295
strongm
strongm
penguinroundup
  • Locked
  • Question
programmatically delete all saved passwords for IE for any user
Replies
0
Views
318
penguinroundup
penguinroundup
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
321
on3mansh0w
on3mansh0w
TECHMAN007
  • Locked
  • Question
RD Web Password Change
Replies
0
Views
227
TECHMAN007
TECHMAN007

Part and Inventory Search

Sponsor

Back
Top