![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/q-for-powertip.jpg\" "\\"Hey,")
\n \n
Hey, Scripting Guy! How can I write a script that will force all the users in an OU to change their password the next time they log on? Hey, TH. You know, you picked a bad day to ask a question; the Scripting Guy who writes this column is in an even worse mood than usual (difficult as that might be to believe). A few weeks ago the Scripting Guys decided, what with the weather getting a bit better and the food in the Microsoft cafeteria getting a bit worse, that once a week they would \u2013 keep this under your hat, OK? \u2013 actually leave the campus at lunch time<\/I> and go eat at a real restaurant. With that in mind, they bribed the guards, stole some uniforms from the Microsoft laundry, and dug a tunnel leading from their building across the street and into freedom.<\/P>\n Note<\/B>. Wouldn\u2019t it be easier to just walk out the door and go to lunch at lunchtime? Oh, sure, now<\/I> you tell us.<\/P>\n And now that you mention it, Microsoft doesn\u2019t actually have<\/I> guards. Wonder who that was we bribed?<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n At any rate, today is supposed to be the day we go eat a real lunch. However, the Scripting Guys manager has called a team meeting right at the very moment the Scripting Guys had planned to enter the tunnel and make their escape. (It\u2019s important to go at just the right moment, when the searchlights are pointed in the opposite direction and the dogs are patrolling on the other side of the campus.) That means we\u2019re exchanging a real hamburger and fries for an update on team activities. Hurray!<\/P>\n Note<\/B>. Aren\u2019t team meetings an important way to get information, to foster morale, and to learn about ways to help us all do our jobs better? Hey, that\u2019s pretty funny; it\u2019s nice to see that someone<\/I> has a sense of humor about all this.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n At any rate, the Scripting Guy who writes this column is in a bad mood. Originally he was going to register his displeasure by refusing to answer TH\u2019s question. However, that didn\u2019t seem right; after all, TH isn\u2019t the one who scheduled the team meeting for today. (Um, you\u2019re not<\/I> the one who scheduled the meeting for today, are you, TH?) Consequently, the Scripting Guy who writes this column opted for Plan B: he would go on a hunger strike in order to protest having a team meeting today. However, that was before he discovered that you\u2019re not allowed to eat while on a hunger strike. (How crazy is that<\/I>?) He then briefly considered going to Plan C, but coming up with yet another plan seemed like way too much work. Therefore, he decided to just answer TH\u2019s question and be done with it:<\/P> For Each objUser in objOU\n objUser.pwdLastSet = 0\n objUser.SetInfo\nNext\n<\/PRE>\n As you can see, this is a very simple little script. (In our defense, we said we\u2019d answer the question; we didn\u2019t say we\u2019d put an enormous amount of work into coming up with that answer.) To begin with, we connect to the desired OU in Active Directory; in our case, that happens to be the Accounting OU in the fabrikam.com domain:<\/P> We actually get a lot of questions along these lines: how do I do something to all the user accounts\/computer accounts\/group accounts in an OU. People assume that this must be a very complicated task, one that requires both incredible coding skill and an intimate knowledge of Active Directory. Interestingly enough, this is actually about as easy<\/I> a task as you\u2019ll ever do. When you bind to an OU in Active Directory you, by default, get back a collection of each and every item stored in that container. If we wanted to echo back the name of each of these items all we\u2019d have to do is set up a For Each loop and have at it:<\/P> Of course, we aren\u2019t interested in each and every item found in the Accounting OU; we\u2019re only interested in user accounts. Hence the second line of code in our script:<\/P> What we\u2019re doing here is applying a filter to our collection; in particular, we\u2019re saying that we want to filter out all the objects in the collection except for<\/I> user objects. What if we were interested in working with computer accounts instead? Then we\u2019d use this filter:<\/P> Pretty simple, huh? Note that you must always use an array when assigning object types to a filter, even if you only have one object in the filter. And if that makes you wonder, \u201cHmmm, does that mean we could put multiple objects in a single filter?\u201d the answer is: you bet you can. For example, here\u2019s a filter that weeds out everything except group accounts and printers (printQueue objects):<\/P> Just separate the objects with commas and you can include as many items in the filter as your heart desires.<\/P>\n As soon as our collection consists solely of user accounts we can go ahead and set up a For Each loop to cycle through entire set of items. Inside the loop we (automatically) bind to the first user account and then execute the following two lines of code:<\/P> In line 1 we\u2019re assigning the value 0 to the pwdLastSet<\/B> attribute. This attribute tells us when the user last set his or her password. If the value of pwdLastSet is 0 then the user must change his or her password the next time they log on. If the user is already logged on they\u2019ll be fine; they can continue working away without any problem. However, once they log off and then try to log back on they\u2019ll be forced to change their password.<\/P>\n Note<\/B>. Don\u2019t get too excited about the pwdLastSet attribute; it really does<\/I> contain the date and time the password was last changed, but the date is stored \u2013 and we are not making this up \u2013 as a large integer that \u201crepresents the number of 100 nanosecond intervals since January 1, 1601 (UTC).\u201d If you\u2019d like to know the date and time a password was last changed take a peek at this <\/B>Hey, Scripting Guy!<\/I><\/B> column<\/B><\/A>.<\/P><\/TD><\/TR><\/TBODY><\/TABLE>\n After setting the pwdLastSet attribute to 0 we then call the SetInfo<\/B> method to write the change to the actual user account in Active Directory. We then loop around and repeat the process with the next user in the collection. When we\u2019re all done, each and every user in the Accounting OU will be required to change their password the next time they log on.<\/P>\n
— TH<\/P>![\"Spacer\"](\"https:\/\/devblogs.microsoft.com\/scripting\/wp-content\/uploads\/sites\/29\/2019\/05\/spacer.gif\")
![\"Hey,](\"https:\/\/devblogs.microsoft.com\/wp-content\/uploads\/sites\/29\/2019\/02\/a-for-powertip.jpg\" "\\"Hey,")
![\"Script](\"http:\/\/img.microsoft.com\/library\/media\/1033\/technet\/images\/scriptcenter\/ad.jpg\" "\\"Script")
<\/A> \n\n<\/THEAD>\n\n
\n \n <\/DIV>\n\n<\/THEAD>\n\n
\n \n <\/DIV>\nSet objOU = GetObject(“LDAP:\/\/ou=Accounting,dc=fabrikam,dc=com”)\nobjOU.Filter = Array(“user”)<\/p>\n
Set objOU = GetObject(“LDAP:\/\/ou=Accounting,dc=fabrikam,dc=com”)\n<\/PRE>\n
For Each objItem in objOU\n Wscript.Echo objItem.Name\nNext\n<\/PRE>\n
objOU.Filter = Array(“user”)\n<\/PRE>\n
objOU.Filter = Array(“computer”)\n<\/PRE>\n
objOU.Filter = Array(“group”, “printQueue”)\n<\/PRE>\n
objUser.pwdLastSet = 0\nobjUser.SetInfo\n<\/PRE>\n
\n<\/THEAD>\n\n
\n \n <\/DIV>\n\n<\/THEAD>\n\n
\n \n