Discussion:
Is it possible to reset "pwdLastSet" attribute to certain date?
(too old to reply)
Mugen
2010-02-01 20:20:01 UTC
Permalink
Hi,

I am trying to enforce password policy for a Domain. (Enforce Password
expire very 90 days and minimum 6 characters etc) I am running Windows 2003
AD. But here is the problem, most of the existing users password are more
than 90 days old which mean their accounts will expire right away as soon as
I enable password policy becasue AD will look at the time stamp of pwdLastSet
attribute.

My question if it is possible to reset the pwdLastSet attribute value to
certain date. I searched around and found there are two value to set ( 0 and
-1). 0 will make users to change password at next logon but I do not want to
do that. I would hope I can reset to today date or pre-define date.

Another question is what happen to service account that keep running on
background every minute (But they never login from the console). Are those
account expire immediately while running from the background or not affect
until a user login at the console?


Thanks.

Mugen
kj [SBS MVP]
2010-02-01 20:50:08 UTC
Permalink
0 means expired, -1 says the password was just set and the 'count down to
policy (90 days) starts a new.

You can keep doing the -1 until you get the inital user 'expiration stagger'
you want, but I wouldn't suggest pushing these out very long at all. A few
days to a few weeks ( if you have alot of users).
Post by Mugen
Hi,
I am trying to enforce password policy for a Domain. (Enforce Password
expire very 90 days and minimum 6 characters etc) I am running
Windows 2003 AD. But here is the problem, most of the existing users
password are more than 90 days old which mean their accounts will
expire right away as soon as I enable password policy becasue AD will
look at the time stamp of pwdLastSet attribute.
My question if it is possible to reset the pwdLastSet attribute value
to certain date. I searched around and found there are two value to
set ( 0 and -1). 0 will make users to change password at next logon
but I do not want to do that. I would hope I can reset to today date
or pre-define date.
Another question is what happen to service account that keep running
on background every minute (But they never login from the console).
Are those account expire immediately while running from the
background or not affect until a user login at the console?
Thanks.
Mugen
--
/kj
Richard Mueller [MVP]
2010-02-01 21:03:13 UTC
Permalink
Post by Mugen
Hi,
I am trying to enforce password policy for a Domain. (Enforce Password
expire very 90 days and minimum 6 characters etc) I am running Windows 2003
AD. But here is the problem, most of the existing users password are more
than 90 days old which mean their accounts will expire right away as soon as
I enable password policy becasue AD will look at the time stamp of pwdLastSet
attribute.
My question if it is possible to reset the pwdLastSet attribute value to
certain date. I searched around and found there are two value to set ( 0 and
-1). 0 will make users to change password at next logon but I do not want to
do that. I would hope I can reset to today date or pre-define date.
Another question is what happen to service account that keep running on
background every minute (But they never login from the console). Are those
account expire immediately while running from the background or not affect
until a user login at the console?
Thanks.
Mugen
A service account, like any other, is affected when it authenticates (unless
the account has password never expires set). This will happen when the
service starts.

As noted, you cannot assign a value corresponding to a date to the
pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge value,
so all users with passwords older than say 120 days expire, then gradually
reduce the value until 90 days is enforced. Or create several text files
with user DN's and assign 0 to the pwdLastSet attribute only for users in
one of the files at a time. Perhaps one group per week. After all have been
forced to change their password, set maxPwdAge to 90 days.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
kj [SBS MVP]
2010-02-01 22:21:54 UTC
Permalink
Post by Richard Mueller [MVP]
Post by Mugen
Hi,
I am trying to enforce password policy for a Domain. (Enforce
Password expire very 90 days and minimum 6 characters etc) I am
running Windows 2003
AD. But here is the problem, most of the existing users password are
more than 90 days old which mean their accounts will expire right
away as soon as
I enable password policy becasue AD will look at the time stamp of pwdLastSet
attribute.
My question if it is possible to reset the pwdLastSet attribute
value to certain date. I searched around and found there are two
value to set ( 0 and
-1). 0 will make users to change password at next logon but I do not want to
do that. I would hope I can reset to today date or pre-define date.
Another question is what happen to service account that keep running
on background every minute (But they never login from the console).
Are those account expire immediately while running from the
background or not affect until a user login at the console?
Thanks.
Mugen
A service account, like any other, is affected when it authenticates
(unless the account has password never expires set). This will happen
when the service starts.
As noted, you cannot assign a value corresponding to a date to the
pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge
value, so all users with passwords older than say 120 days expire,
then gradually reduce the value until 90 days is enforced. Or create
several text files with user DN's and assign 0 to the pwdLastSet
attribute only for users in one of the files at a time. Perhaps one
group per week. After all have been forced to change their password,
set maxPwdAge to 90 days.
Richards method above is my preference for reducing password lifetimes or
first time pasword age restrictions of user passwords assured of being 999
days or newer. Those older accounts still get immediatly flagged if they
haven't changed pwds in less than (pwdmax setting) days. (they should
probably get flogged for it instead of flagged for it, but that's another
thread).

-1 method helps where a large number of new or migrated users all have the
same pwdage suffering from the trama of just having to change it now :) ...
or when introducing password expiration for the first time to users that
have been around a long time.

Different methods for different circumstances and needs i guess.
Post by Richard Mueller [MVP]
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
/kj
Mugen
2010-02-01 23:49:02 UTC
Permalink
Hi Kj and Richard,

Thanks for your reply!

I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to
everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...

Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?

Thanks and really appreicate your help!
Mugen
Post by kj [SBS MVP]
Post by Richard Mueller [MVP]
Post by Mugen
Hi,
I am trying to enforce password policy for a Domain. (Enforce
Password expire very 90 days and minimum 6 characters etc) I am
running Windows 2003
AD. But here is the problem, most of the existing users password are
more than 90 days old which mean their accounts will expire right
away as soon as
I enable password policy becasue AD will look at the time stamp of pwdLastSet
attribute.
My question if it is possible to reset the pwdLastSet attribute
value to certain date. I searched around and found there are two
value to set ( 0 and
-1). 0 will make users to change password at next logon but I do not want to
do that. I would hope I can reset to today date or pre-define date.
Another question is what happen to service account that keep running
on background every minute (But they never login from the console).
Are those account expire immediately while running from the
background or not affect until a user login at the console?
Thanks.
Mugen
A service account, like any other, is affected when it authenticates
(unless the account has password never expires set). This will happen
when the service starts.
As noted, you cannot assign a value corresponding to a date to the
pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge
value, so all users with passwords older than say 120 days expire,
then gradually reduce the value until 90 days is enforced. Or create
several text files with user DN's and assign 0 to the pwdLastSet
attribute only for users in one of the files at a time. Perhaps one
group per week. After all have been forced to change their password,
set maxPwdAge to 90 days.
Richards method above is my preference for reducing password lifetimes or
first time pasword age restrictions of user passwords assured of being 999
days or newer. Those older accounts still get immediatly flagged if they
haven't changed pwds in less than (pwdmax setting) days. (they should
probably get flogged for it instead of flagged for it, but that's another
thread).
-1 method helps where a large number of new or migrated users all have the
same pwdage suffering from the trama of just having to change it now :) ...
or when introducing password expiration for the first time to users that
have been around a long time.
Different methods for different circumstances and needs i guess.
Post by Richard Mueller [MVP]
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
/kj
.
Richard Mueller [MVP]
2010-02-02 03:00:39 UTC
Permalink
Post by Mugen
Hi Kj and Richard,
Thanks for your reply!
I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to
everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...
Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?
Thanks and really appreicate your help!
Mugen
If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
The next time the user authenticates, a value corresponding to the current
date and time is automatically assigned by the system. Still, if you
assign -1 to everyone today, and they all logon tomorrow, then everyone's
password will expire on the same day 90 days in the future. I've found this
to be problem when users are not used to changing passwords. You still might
what to assign -1 to groups of users to spread out the load on your support.

You can use ADO in a VBScript program to retrieve the DN of all users (or
all users in an OU, or all users in a group), enumerate the users, bind to
each user object, assign -1 to pwdLastSet, and save the changes. For
example, for all users in the domain:
==========
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the ADO query
from this:

strBase = "<LDAP://" & strDNSDomain & ">"

To specify the DN of the OU, similar to:

strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"

To restrict the ADO query to members of a group, you can change the filter
statement from this:

strFilter = "(&(objectCategory=person)(objectClass=user))"

to add a clause specifying the DN of the group. For example (one line):

strFilter =
"(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"

I hope this helps.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
Mugen
2010-02-03 00:27:01 UTC
Permalink
Hi,

Thanks for you help!

I tried this VB script to test individual account in default "users" OU. It
seems ran successful without any error. I got a Windows script host window
with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
attribue of the PwdLastset nothing being changed. It still showing last
password set was 1 year ago. Here is the VB script I tried and I put asterisk
at end of the line where I made change.

Can you take a look what went wrong?

' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
strContainer = strContainer & strDNSDomain
intCounter = -1 **********
' Here we force a reset password date
intPwdValue = -1 ***********

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit

' End of Sample PwdLastSet VBScript
Post by Richard Mueller [MVP]
Post by Mugen
Hi Kj and Richard,
Thanks for your reply!
I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to
everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...
Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?
Thanks and really appreicate your help!
Mugen
If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
The next time the user authenticates, a value corresponding to the current
date and time is automatically assigned by the system. Still, if you
assign -1 to everyone today, and they all logon tomorrow, then everyone's
password will expire on the same day 90 days in the future. I've found this
to be problem when users are not used to changing passwords. You still might
what to assign -1 to groups of users to spread out the load on your support.
You can use ADO in a VBScript program to retrieve the DN of all users (or
all users in an OU, or all users in a group), enumerate the users, bind to
each user object, assign -1 to pwdLastSet, and save the changes. For
==========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the ADO query
strBase = "<LDAP://" & strDNSDomain & ">"
strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
To restrict the ADO query to members of a group, you can change the filter
strFilter = "(&(objectCategory=person)(objectClass=user))"
strFilter =
"(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
I hope this helps.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
Mugen
2010-02-04 18:18:01 UTC
Permalink
Hi,

Anyone able to review the script I treid why not working?

Thanks.
Post by Mugen
Hi,
Thanks for you help!
I tried this VB script to test individual account in default "users" OU. It
seems ran successful without any error. I got a Windows script host window
with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
attribue of the PwdLastset nothing being changed. It still showing last
password set was 1 year ago. Here is the VB script I tried and I put asterisk
at end of the line where I made change.
Can you take a look what went wrong?
' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
strContainer = strContainer & strDNSDomain
intCounter = -1 **********
' Here we force a reset password date
intPwdValue = -1 ***********
' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next
' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit
' End of Sample PwdLastSet VBScript
Post by Richard Mueller [MVP]
Post by Mugen
Hi Kj and Richard,
Thanks for your reply!
I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to
everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...
Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?
Thanks and really appreicate your help!
Mugen
If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
The next time the user authenticates, a value corresponding to the current
date and time is automatically assigned by the system. Still, if you
assign -1 to everyone today, and they all logon tomorrow, then everyone's
password will expire on the same day 90 days in the future. I've found this
to be problem when users are not used to changing passwords. You still might
what to assign -1 to groups of users to spread out the load on your support.
You can use ADO in a VBScript program to retrieve the DN of all users (or
all users in an OU, or all users in a group), enumerate the users, bind to
each user object, assign -1 to pwdLastSet, and save the changes. For
==========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the ADO query
strBase = "<LDAP://" & strDNSDomain & ">"
strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
To restrict the ADO query to members of a group, you can change the filter
strFilter = "(&(objectCategory=person)(objectClass=user))"
strFilter =
"(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
I hope this helps.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
kj [SBS MVP]
2010-02-04 18:28:03 UTC
Permalink
Post by Mugen
Hi,
Anyone able to review the script I treid why not working?
I *think* that Richards script is expecting to enumerate user accounts in an
OU but you gave it the DN of a single user.

If true, create an OU and move your test user there and adjust strContainer
for the OU instead of the CN=


Otherwise I'm sure Richard or others will correct me (and you). :)
Post by Mugen
Thanks.
Post by Mugen
Hi,
Thanks for you help!
I tried this VB script to test individual account in default "users"
OU. It seems ran successful without any error. I got a Windows
script host window with "PwdLastSet= -1 and Accounts changed = -1".
However, when I checked the attribue of the PwdLastset nothing being
changed. It still showing last password set was 1 year ago. Here is
the VB script I tried and I put asterisk at end of the line where I
made change.
Can you take a look what went wrong?
' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
strContainer = strContainer & strDNSDomain
intCounter = -1 **********
' Here we force a reset password date
intPwdValue = -1 ***********
' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://cn=test
account,cn=users,dc=domain,dc=com") ***** For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next
' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit
' End of Sample PwdLastSet VBScript
Post by Richard Mueller [MVP]
Post by Mugen
Hi Kj and Richard,
Thanks for your reply!
I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy
to whole Domain for "password expire in 90 days". That way, I just
email out to everyone saying policy has been applied and everyone
need to change password
every 90 days from now on. Otherewise, most of the users will get
password expire the first day I apply passwrod policy. Hope that
make sense...
Do you know if there is a script I can download for resetting
"pwdLastSet" to -1 for multiple users or whole Domain?
Thanks and really appreicate your help!
Mugen
If you assign -1 to pwdLastSet, this assigns a huge number to the
attribute. The next time the user authenticates, a value
corresponding to the current date and time is automatically
assigned by the system. Still, if you
assign -1 to everyone today, and they all logon tomorrow, then
everyone's password will expire on the same day 90 days in the
future. I've found this to be problem when users are not used to
changing passwords. You still might what to assign -1 to groups of
users to spread out the load on your support.
You can use ADO in a VBScript program to retrieve the DN of all
users (or all users in an OU, or all users in a group), enumerate
the users, bind to each user object, assign -1 to pwdLastSet, and
==========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes &
";subtree" adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the
strBase = "<LDAP://" & strDNSDomain & ">"
strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
To restrict the ADO query to members of a group, you can change the
strFilter = "(&(objectCategory=person)(objectClass=user))"
strFilter =
"(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
I hope this helps.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
--
/kj
Bruno Souza - r4ibOm
2021-09-09 14:22:56 UTC
Permalink
Hello,

For this change to work, you first need to change the value to 0 and then to -1. For example:

objUser.Put "pwdLastSet", 0
objUser.SetInfo

objUser.Put "pwdLastSet", -1
objUser.SetInfo

After that you can check the attribute again in AD and it will have the current date =)
Bruno Souza - r4ibOm
2021-09-09 14:23:51 UTC
Permalink
Post by Mugen
Hi,
Anyone able to review the script I treid why not working?
Thanks.
Post by Mugen
Hi,
Thanks for you help!
I tried this VB script to test individual account in default "users" OU. It
seems ran successful without any error. I got a Windows script host window
with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
attribue of the PwdLastset nothing being changed. It still showing last
password set was 1 year ago. Here is the VB script I tried and I put asterisk
at end of the line where I made change.
Can you take a look what went wrong?
' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue
' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
strContainer = strContainer & strDNSDomain
intCounter = -1 **********
' Here we force a reset password date
intPwdValue = -1 ***********
' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next
' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit
' End of Sample PwdLastSet VBScript
Post by Richard Mueller [MVP]
Post by Mugen
Hi Kj and Richard,
Thanks for your reply!
I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to
everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...
Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?
Thanks and really appreicate your help!
Mugen
If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
The next time the user authenticates, a value corresponding to the current
date and time is automatically assigned by the system. Still, if you
assign -1 to everyone today, and they all logon tomorrow, then everyone's
password will expire on the same day 90 days in the future. I've found this
to be problem when users are not used to changing passwords. You still might
what to assign -1 to groups of users to spread out the load on your support.
You can use ADO in a VBScript program to retrieve the DN of all users (or
all users in an OU, or all users in a group), enumerate the users, bind to
each user object, assign -1 to pwdLastSet, and save the changes. For
==========
Option Explicit
Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser
' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection
' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"
' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"
' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"
' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False
' Run the query.
Set adoRecordset = adoCommand.Execute
' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop
' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the ADO query
strBase = "<LDAP://" & strDNSDomain & ">"
strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"
To restrict the ADO query to members of a group, you can change the filter
strFilter = "(&(objectCategory=person)(objectClass=user))"
strFilter =
"(&(objectCategory=person)(objectClass=user)(memberOf=cn=TestGroup,ou=West,dc=MyDomain,dc=com))"
I hope this helps.
--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--
.
Hello,

For this change to work, you first need to change the value to 0 and then to -1. For example:

objUser.Put "pwdLastSet", 0
objUser.SetInfo

objUser.Put "pwdLastSet", -1
objUser.SetInfo

After that you can check the attribute again in AD and it will have the current date =)
Loading...