Forcing password change with PwdLastSet=0 doesn't work

Tutorials Win: Microsoft Windows Forum

Hi,

I have a script (vbs) that changes PwdLastSet for a user to zero, and
that is supposed to force them to change password at next logon but
they don't get the prompt. I can see that the value is set to zero
successfully. Are there other account parameters that would stop it
from working?

I am trying to do a one off forced password change for sections of my
domain with this from MS:

Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
objUser.Put "pwdLastSet", 0
objUser.SetInfo.

http://tinyurl.com/3dvejj

Thanks

--
Top

Re: Forcing password change with PwdLastSet=0 doesn't work by Joseph

Joseph
Tue Aug 12 10:54:33 PDT 2008

Yes, if the "Password never expires" flag is set within the
userAccountControl bitmask of an account, a value of 0 in pwdLastSet won't
do anything. You aren't getting an error because ADSI will "allow" you to
manually set the value. If you give this a shot in ADU&C, you'll notice that
both "User must change password at next logon" and "Password never expires"
can never be set at the same time without being greeted by an error message.
The reason is that pwdLetSet essentially expires that password - but you've
explicitly (either intentionally or unintentionally) told AD that the user
cannot have an expired password. Take a look at the following to
programmatically find out if this is the case (you can always just look at
the properties of an object as well).

http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct06/hey1031.mspx
http://support.microsoft.com/kb/305144
http://msdn.microsoft.com/en-us/library/aa772300.aspx

--
Joseph T. Corey MCSE, MCITP-EA
Windows Systems Administrator
http://joecorey.wordpress.com/

"£Jim" <nospam@any.time> wrote in message
news:ulJDQAK$IHA.3656@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> I have a script (vbs) that changes PwdLastSet for a user to zero, and
> that is supposed to force them to change password at next logon but
> they don't get the prompt. I can see that the value is set to zero
> successfully. Are there other account parameters that would stop it
> from working?
>
> I am trying to do a one off forced password change for sections of my
> domain with this from MS:
>
> Set objUser = GetObject _
> ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
> objUser.Put "pwdLastSet", 0
> objUser.SetInfo.
>
> http://tinyurl.com/3dvejj
>
> Thanks
>
> --
>

Top

Re: Forcing password change with PwdLastSet=0 doesn't work by Jorge

Jorge
Mon Aug 18 13:50:22 PDT 2008

adfind -default -f "&(objectcategory=person)(objectclass=user)" -dsq | admod
pwdLastSet::0 -unsafe

will tough EVERY user in the AD domain, so you might want to use:
ADfind -b "DN of OU" instead of adfind -default
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"£Jim" <nospam@any.time> wrote in message
news:ulJDQAK$IHA.3656@TK2MSFTNGP03.phx.gbl...
> Hi,
>
> I have a script (vbs) that changes PwdLastSet for a user to zero, and
> that is supposed to force them to change password at next logon but
> they don't get the prompt. I can see that the value is set to zero
> successfully. Are there other account parameters that would stop it
> from working?
>
> I am trying to do a one off forced password change for sections of my
> domain with this from MS:
>
> Set objUser = GetObject _
> ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
> objUser.Put "pwdLastSet", 0
> objUser.SetInfo.
>
> http://tinyurl.com/3dvejj
>
> Thanks
>
> --
>

Top

Re: Forcing password change with PwdLastSet=0 doesn't work by nospam

nospam
Tue Aug 19 07:27:12 PDT 2008

Thanks, I think that's probably it. Most of the accounts are set never
to expire.
--



Joseph T Corey wrote:

> Yes, if the "Password never expires" flag is set within the
> userAccountControl bitmask of an account, a value of 0 in pwdLastSet
> won't do anything. You aren't getting an error because ADSI will
> "allow" you to manually set the value. If you give this a shot in
> ADU&C, you'll notice that both "User must change password at next
> logon" and "Password never expires" can never be set at the same time
> without being greeted by an error message. The reason is that
> pwdLetSet essentially expires that password - but you've explicitly
> (either intentionally or unintentionally) told AD that the user
> cannot have an expired password. Take a look at the following to
> programmatically find out if this is the case (you can always just
> look at the properties of an object as well).
>
>
http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct06/hey1031.mspx
> http://support.microsoft.com/kb/305144
> http://msdn.microsoft.com/en-us/library/aa772300.aspx
Top

Re: Forcing password change with PwdLastSet=0 doesn't work by nospam

nospam
Tue Aug 19 07:28:54 PDT 2008

Wow, thanks. Can you point me to documentation for that command?
--



Jorge de Almeida Pinto [MVP - DS] wrote:

> adfind -default -f "&(objectcategory=person)(objectclass=user)" -dsq
> | admod pwdLastSet::0 -unsafe
>
> will tough EVERY user in the AD domain, so you might want to use:
> ADfind -b "DN of OU" instead of adfind -default
Top

Re: Forcing password change with PwdLastSet=0 doesn't work by Jorge

Jorge
Tue Aug 19 08:16:43 PDT 2008

adfind -b "OU=Something,DC=DOMAIN,DC=COM" -f
"&(objectcategory=person)(objectclass=user)" -dsq | admod
pwdLastSet::0 -unsafe

will touch every user in "OU=Something,DC=DOMAIN,DC=COM"

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"£Jim" <nospam@any.time> wrote in message
news:efonpfgAJHA.4312@TK2MSFTNGP02.phx.gbl...
> Wow, thanks. Can you point me to documentation for that command?
> --
>
>
>
> Jorge de Almeida Pinto [MVP - DS] wrote:
>
>> adfind -default -f "&(objectcategory=person)(objectclass=user)" -dsq
>> | admod pwdLastSet::0 -unsafe
>>
>> will tough EVERY user in the AD domain, so you might want to use:
>> ADfind -b "DN of OU" instead of adfind -default

Top