Recipe 6.21 Requiring a User to Change Her Password at Next Logon
6.21.1 Problem
You want to require a user to change
her
password the next time she logs on to the domain.
6.21.2 Solution
6.21.2.1 Using a graphical user interface
Open the Active Directory Users and Computers
snap-in. In the left pane, right-click on the domain and select Find. Select the appropriate domain beside In. Beside Name, type the name of the user you want to modify and click
Find Now. In the Search Results, double-click on the user. Click the Account tab. Under Account options, check the box beside User must change password
at next logon. Click OK.
6.21.2.2 Using a command-line interface
> dsmod user "<UserDN>" -mustchpwd yes
6.21.2.3 Using VBScript
' This code sets the flag that requires a user to change their password
' ------ SCRIPT CONFIGURATION ------
strUserDN = "<UserDN>" ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------
set objUser = GetObject("LDAP://" & strUserDN)
objUser.Put "pwdLastSet", 0
objUser.SetInfo
WScript.Echo "User must change password at next logon: " & strUserDN
6.21.3 Discussion
When a user changes her password, a timestamp is written to the
pwdLastSet attribute of the
user object. When the user logs in to the domain,
this timestamp is compared to the maximum password age that is
defined by the Domain Security Policy to determine if the password
has expired. To force a user to change her password at next logon,
set the pwdLastSet attribute of the target user to
and verify that the user's account
doesn't have the never expire password option
enabled.
To disable this option so that a user does not have to change her
password, set pwdLastSet to -1. These
two
values (0 and -1) are the only ones that can be set on the
pwdLastSet attribute.
|