How Can I Cause a User’s Password to Expire?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I cause a user’s password to expire?

— GB

Spacer Hey, Scripting Guy! Answer Script Center

Hey, GB. You know, one thing people dislike about politicians is that any time you ask them a question many politicians will give you an answer to a different question. Even worse, if you press them on that point they’ll tell you that there’s a good reason why they did that: after all, it’s for your own good.


What does that have to do with the Hey, Scripting Guy! column? Well, instead of answering the question you asked, we’re going to answer a different question. But don’t worry: it’s for your own good.


So why is this for your own good? Well, we’re assuming there’s only one reason why you’d want to expire a user’s password: you want the user to have to change that password the next time they log on. You wouldn’t expire a password in order to prevent a user from logging on; if you don’t want a user logging on then you should disable or delete the user account. We want to force a user to change their password the next time they log on, and there’s an easier way to do that than by changing the password expiration date. All you have to do is run this little script instead:


That’s right: there really isn’t much to it, is there? We begin by binding to the user account in Active Directory; that’s what this line of code is for:


Having done that, we then set the value of the pwdLastSet attribute to 0. pwdLastSet is an attribute that stores the date and time that the password for a given account was last set. If pwdLastSet is equal to 0 the user will have no choice but to change their password the next time they log on. In other words, without having to mess around with dates and times we’ve essentially “expired” their password: their current password will have to be changed the next time they log on. We set pwdLastSet to 0, then call the SetInfo method to write the change back to Active Directory.


Incidentally, you can do the same sort of thing with local user accounts using a script like this:


In this script, we bind to the Ken Myer account on the computer atl-win2k-01 and then set the value of the PasswordExpired attribute to 1. We call the SetInfo method and, voilà: the next time Ken Myer logs on to this computer he’ll have to change his password.


So there you have it: we answered a question, even though it might not have been the exact question we were asked. Hopefully this will help: the last time we tried giving answers that didn’t match the questions was on our SAT test. That one didn’t work out too well.

Follow    

No Comment.