Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Active Directory PasswordExpirationDate

Status
Not open for further replies.
spd32177

spd32177

IS-IT--Management
Jun 13, 2005
7
US
The situation that I am now is that we currently have a ton of user accounts that have “password never expires” checked.

Now, the problem is, I need to uncheck these accounts for security reasons, however I don’t want to be slammed with phone calls saying their accounts are not working etc….so my question is, how do I change the PasswordExpirationDate property in AD?

Any ideas? This would be a HUGE HELP!
 
Sort by date Sort by votes
Are you looking for an automated way to do this or just looking for ideas on best practices?

Have you established a policy on how long a password is good for, etc.

There are some relatively simple scripts that can set the expiration for you... I can point you in the right direction if that is what you're looking for. Otherwise you might want to try searching the Forums for an active driectory if you looking for a "best practices" solution.
 
Upvote 0 Downvote
yes, i am looking for an automated way of doing this...

We do have password complexity policy for passwords etc...

I have come accoss some scripts such as:

strDate = "06/15/2005"
objUser.PasswordExpirationDate = CDate(strDate)
objUser.SetInfo

This does not work....

Any thoughts?
 
Upvote 0 Downvote
Do you have more code than this or is this it?

What error are you getting? "This does not work...." is not very helpful in troubleshooting any problems...
 
Upvote 0 Downvote
that is the basic code that I found by googling what I am looking for. There are not many answers to this problem i am having....Do you have any ideas or code snipits?
 
Upvote 0 Downvote
PasswordExpirationDate exposed by the user object of WinNT provider is read-only. To change the password expiration date, [1] you need to do it via LDAP provider; [2] determine the domain's maxPwdAge (64-bit); [3] change the user's pwdLastSet (64-bit).

If the problem now is because they have the setting that password never expire (ADS_UF_DONT_EXPIRE_PASSWD) , you need to turn it off in the userAccountControl as a start.

You sure will benefit from the detail explanation in the msdn article:

But, nothing can replace the documentation.

- tsuji
 
Upvote 0 Downvote
ok, thanks tsuji!

However, you wouldn't happen to have any code to go along with that would you?
 
Upvote 0 Downvote
With the steps/objects/properties outlined, you can google a bit to find good scripts. Else you can come up with what you get and pose precise problem here or vbs forum, or less active ones like ldap forum. (Or somebody here might not resist to offer you full script, I don't know.)
 
Upvote 0 Downvote
Thank you, but i understand that, but change the user's pwdLastSet (64-bit) is not a date, is set as:

pwdLastSet = 0;

or

pwdLastSet = -1;

this will not change the date in the PasswordExpirationDate and there isn't any code on the LDAP provider located on google somewhere because i have search goole up and down...

Any more thoughts?
 
Upvote 0 Downvote
ok, i'll have to figure this out on my own...

Thanks for everyones help.

I'll let you know how it turns out.
 
Upvote 0 Downvote
>>i'll have to figure this out on my own

Not quite. You have already been helped out and pointed in a good direction. This is not a site where people sit around and wait to write custom solutions for everyone's problems.

We have no problems helping someone out. It just seems that you want someone to do all this for you, and with this being a fairly complex issue that is not all that common, you're not likely to have someone do as you want (write it for you).

Once you come up with some base code and are having some issues, come back here and there will be plenty of help available. I would love to write a complete solution for this as I am interested myself but frankly don't have enough time to finish all of my own work... let alone someone else's....

I hope I got the point across without being too offensive... if may be a good idea for you to have a look at FAQ222-2244 for some more guidelines on the usage of this forum....

Good luck....

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

renangt
  • Locked
  • Question
Compare 2 file then move them from directory - VbScript
Replies
1
Views
101
strongm
strongm
Skittle
  • Locked
  • Question
List Entries In Active Directory
Replies
2
Views
104
Skittle
Skittle
gcrane
  • Locked
  • Question
Extra Column In DataGridView From Active Directory
Replies
2
Views
103
gcrane
gcrane
g33man
  • Locked
  • Question
Query LDAP directory (non-AD) using System.DirectoryServices
Replies
2
Views
108
g33man
g33man
Tomeczek
  • Locked
  • Question
Active Directory structure in TreeView control (VB.Net)
Replies
2
Views
132
Tomeczek
Tomeczek

Part and Inventory Search

Sponsor

Back
Top