Em quinta-feira, 4 de fevereiro de 2010 às 16:18:01 UTC-2, Mugen escreveu:
Hi,
Anyone able to review the script I treid why not working?
Thanks.
"Mugen" wrote:
Hi,
Thanks for you help!
I tried this VB script to test individual account in default "users" OU. It
seems ran successful without any error. I got a Windows script host window with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
attribue of the PwdLastset nothing being changed. It still showing last password set was 1 year ago. Here is the VB script I tried and I put asterisk
at end of the line where I made change.
Can you take a look what went wrong?
' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------' strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ****** strContainer = strContainer & strDNSDomain
intCounter = -1 **********
' Here we force a reset password date
intPwdValue = -1 ***********
' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next
' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit
' End of Sample PwdLastSet VBScript
"Richard Mueller [MVP]" wrote:
"Mugen" <Mu...@discussions.microsoft.com> wrote in message news:A37AA81D-9251-436C...@microsoft.com...
Hi Kj and Richard,
Thanks for your reply!
I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...
Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?
Thanks and really appreicate your help!
Mugen
If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
The next time the user authenticates, a value corresponding to the current
date and time is automatically assigned by the system. Still, if you assign -1 to everyone today, and they all logon tomorrow, then everyone's
password will expire on the same day 90 days in the future. I've found this
to be problem when users are not used to changing passwords. You still might
what to assign -1 to groups of users to spread out the load on your support.
You can use ADO in a VBScript program to retrieve the DN of all users (or
all users in an OU, or all users in a group), enumerate the users, bind to
each user object, assign -1 to pwdLastSet, and save the changes. For example, for all users in the domain:
==========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection") adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree" adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the ADO query
from this:
strBase = "<LDAP://" & strDNSDomain & ">"
To specify the DN of the OU, similar to:
strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
To restrict the ADO query to members of a group, you can change the filter
statement from this:
strFilter = "(&(objectCategory=person)(objectClass=user))"
to add a clause specifying the DN of the group. For example (one line):
strFilter = "(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
I hope this helps.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
Hello,
For this change to work, you first need to change the value to 0 and then to -1. For example:
objUser.Put "pwdLastSet", 0
objUser.SetInfo
objUser.Put "pwdLastSet", -1
objUser.SetInfo
After that you can check the attribute again in AD and it will have the current date =)
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)