Sign in with
Sign up | Sign in
Your question

Change password policy

Last response: in Windows 2000/NT
Share
Anonymous
a b 8 Security
February 14, 2005 1:29:51 PM

Archived from groups: microsoft.public.win2000.security (More info?)

At this moment we have a domain with 300 users, no
password policy set so far, .Now we need to set a
password policy (minimun password 6 characters)

So, the problem is I need to find a way to do it
simultaneously on all users. On this way enforce all users
to change the password as soon as possible

Thanks any comments !

More about : change password policy

Anonymous
a b 8 Security
February 14, 2005 11:45:58 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Misaro wrote:

> At this moment we have a domain with 300 users, no
> password policy set so far, .Now we need to set a
> password policy (minimun password 6 characters)
>
> So, the problem is I need to find a way to do it
> simultaneously on all users. On this way enforce all users
> to change the password as soon as possible
Hi

The password complexity policy is a domain security policy that
will apply for all users at the same moment as you enable the
policy.

Then I would have used a script that expired all user's password
so they was forced to change password next time they log on.

If you need help with this script, say so, and describe your
environment.

1) Is this a NT4 or AD domain?

2) If AD, are the users in the same container/OU or in few or
spread around in many?

3) Will you need to "spare" some users, or is it OK to do this
on absolutely all users in the domain (and then you can eventually
undo the "User must change password at next logon" on a few users
using the admin GUI?


--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
Anonymous
a b 8 Security
February 14, 2005 11:45:59 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I need to apply it to all users in differents OU's at the
same time .you talked about an script I would like to find
it and if you can do it Explain me how may I use it ?

Thanks !!


>-----Original Message-----
>Misaro wrote:
>
>> At this moment we have a domain with 300 users, no
>> password policy set so far, .Now we need to set a
>> password policy (minimun password 6 characters)
>>
>> So, the problem is I need to find a way to do it
>> simultaneously on all users. On this way enforce all
users
>> to change the password as soon as possible
>Hi
>
>The password complexity policy is a domain security
policy that
>will apply for all users at the same moment as you enable
the
>policy.
>
>Then I would have used a script that expired all user's
password
>so they was forced to change password next time they log
on.
>
>If you need help with this script, say so, and describe
your
>environment.
>
>1) Is this a NT4 or AD domain?
>
>2) If AD, are the users in the same container/OU or in
few or
>spread around in many?
>
>3) Will you need to "spare" some users, or is it OK to do
this
>on absolutely all users in the domain (and then you can
eventually
>undo the "User must change password at next logon" on a
few users
>using the admin GUI?
>
>
>--
>torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
>Administration scripting examples and an ONLINE version of
>the 1328 page Scripting Guide:
>http://www.microsoft.com/technet/scriptcenter/default.m...
>.
>
Related resources
Anonymous
a b 8 Security
February 15, 2005 1:49:53 AM

Archived from groups: microsoft.public.win2000.security (More info?)

If you have an XP Pro computer on the domain you can install Adminpak for
Windows 2003 on it, logon as domain admin [make sure computer is known
secure] and use the Active Directory tools such as dsquery and dsmod for
user to find users and set their accounts to require change password at next
logon. You can pipe the results of dsquery to dsmod. --- Steve

http://www.microsoft.com/windowsxp/home/using/productdo...
http://www.microsoft.com/windowsxp/home/using/productdo...

Examples
To find all computers that have been inactive for the last four weeks and
remove them from the directory, type:

dsquery computer -inactive 4 | dsrm

To find all users in the organizational unit
OU=Marketing,DC=Microsoft,DC=Com and add them to the Marketing Staff group,
type:

dsquery user OU=Marketing,DC=Microsoft,DC=Com | dsmod group "CN=Marketing
Staff,OU=Marketing,DC=Microsoft,DC=Com" -addmbr
To find all users with names starting with "Mike" and display their office
numbers, type:

dsquery user -name Mike* | dsget user -office


"Misaro" <anonymous@discussions.microsoft.com> wrote in message
news:24ea01c512c3$2c24a950$a401280a@phx.gbl...
> At this moment we have a domain with 300 users, no
> password policy set so far, .Now we need to set a
> password policy (minimun password 6 characters)
>
> So, the problem is I need to find a way to do it
> simultaneously on all users. On this way enforce all users
> to change the password as soon as possible
>
> Thanks any comments !
Anonymous
a b 8 Security
February 16, 2005 4:09:56 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Misaro wrote:

> I need to apply it to all users in differents OU's at the
> same time .you talked about an script I would like to find
> it and if you can do it Explain me how may I use it ?
Hi

Put the VBScript below in a .vbs file and run it by double clicking on
it in Explorer. It will put out a message box for each OU it is about
to process (press OK to let the script continue).

You will need to create a text file with the OU paths where there are
users you want to expire the password for (update the path in the sFile
variable to correct path/name).

The text file with the OU list needs to be like this, each full OU path
on a seperate line:

OU=Spain,OU=Users
OU=Test,OU=Spain,OU=Users


The VBScript file:

'--------------------8<----------------------


Const OpenAsDefault = -2
Const FailIfNotExist = 0
Const ForReading = 1

sFile = "c:\scripts\OUList.txt"

Set oFSO = CreateObject("Scripting.FileSystemObject")

Set fFile = oFSO.OpenTextFile(sFile, ForReading, _
FailIfNotExist, OpenAsDefault)

aOUs = Split(fFile.ReadAll, vbNewLine)
fFile.Close

' Determine the DNS domain from the RootDSE object.
Set oRootDSE = GetObject("LDAP://RootDSE")
sDNSDomain = oRootDSE.Get("defaultNamingContext")

' verify that we can connect to all OUs before we start
' modifying the user objects
For Each sOU In aOUs
If sOU <> "" Then
On Error Resume Next
sLDAPPath = "LDAP://" & sOU & "," & sDNSDomain
Set oTargetOU = GetObject(sLDAPPath)
If Err.Number <> 0 Then

MsgBox "Quitting (no users changed), could not connect to path " _
& sLDAPPath, vbCritical + vbSystemModal, "Expire Password"
WScript.Quit
End If
End If
Next
On Error Goto 0

' start changing the user objects
For Each sOU In aOUs
If sOU <> "" Then
sLDAPPath = "LDAP://" & sOU & "," & sDNSDomain
MsgBox "About to enumerate users in path " & sLDAPPath, _
vbInformation + vbSystemModal, "Expire Password"
Set oTargetOU = GetObject(sLDAPPath)
oTargetOU.Filter = Array("user")
For Each oUser In oTargetOU
If Left(oUser.ObjectCategory, 9) = "CN=Person" Then
oUser.pwdLastSet = Clng(0)
' Save changes
oUser.SetInfo
End If
Next
End If
Next

MsgBox "Done!", vbInformation + vbSystemModal, "Expire Password"


'--------------------8<----------------------

--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.m...
!