December 14th, 2006

How Can I Set a User’s Password and Then Require Them to Change That Password the Next Time They Log on?

Hey, Scripting Guy! Question

Hey, Scripting Guy! In our school, how can I enable teachers to change a student’s password to their logon name, then force those students to change their password the next time they log on?

— DS

SpacerHey, Scripting Guy! AnswerScript Center

Hey, DS. Boy, did you pick the wrong person to ask. After all, the Scripting Guy who writes this column used to be a teacher; if he knew how to force students to do things he’d probably still be teacher!

Actually, the Scripting Guy who writes this column always got along really well with his students; in fact, he’s always gotten along really well with kids, period. As his fellow Scripting Guys will attest, it’s only adults he has problems with. Perhaps that’s because, as the Scripting Son pointed out a few weeks ago, “You know, any place you go you’re usually the most immature person there.” And no, we have no idea what could have provoked this outburst.

Well, OK, maybe we have some idea ….

But regardless of whether you’re dealing with a grownup, a child, or even a Scripting Guy, here’s a script that will set a user’s password to their logon name, then require that user to change that password the next time they logon:

Set objUser = GetObject("LDAP://cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com")
objUser.SetPassword objUser.sAMAccountName
objUser.Put "pwdLastSet", 0
objUser.SetInfo

And yes, it is a very short and concise script, isn’t it? Yet another reason why the Scripting Guy who writes this column is no longer a teacher: teachers have to work hard. As for Scripting Guys, well ….

As you can see, we start out by binding to the user account in Active Directory; that’s what this line of code does:

Set objUser = GetObject("LDAP://cn=Ken Myer,ou=Finance,dc=fabrikam,dc=com")

We then call the SetPassword method in order to change the user’s password. With SetPassword we have to supply one parameter: the new password for the user. Because we want the new password to be the user’s logon name we pass the value of the sAMAccountName attribute:

objUser.SetPassword objUser.sAMAccountName

Believe it or not, that’s all we have to do to set the user’s password.

Requiring the user to change that password the next time they log on is twice as hard; after all, that requires two whole lines of code:

objUser.Put "pwdLastSet", 0
objUser.SetInfo

In the first line we assign the value 0 to the pwdLastSet attribute. This attribute keeps track of the last time a user changed his or her password. If the value is set to 0 then the user has to change their password the next time they log on.

In line 2 we then call the SetInfo method to write the updated attribute value back to Active Directory.

That should do the trick, DS, provided, of course, that teachers have the right to change user passwords and to update the pwdLastSet attribute.

Speaking of teachers, the Scripting Guy who writes this column actually enjoyed teaching; that’s one reason he spends so much of his time coaching. What he didn’t like were school districts: huge, impersonal bureaucracies that never know what they’re doing, or why. And so he ended up at Microsoft instead.

And yes, we know what you’re thinking. But if anyone asks, you said it, not us.


Author

0 comments

Discussion are closed.