Discussion:
UserAccountControl
(too old to reply)
Bart Perrier
2005-02-10 14:52:32 UTC
Permalink
I am needing to set a large number of user accounts in an OU to prompt them
to change their password at next login. The accounts are currently disabled
giving me a value of 546. If my math is correct then I would expect the
value to be 8389154 with the pasword_expired value added.

When I set one of these accounts manually to Disabled and User must change
password at next logon, using the AD MMC, my value does not change as I
expect it to.

I am using the Active Directory Browser to verify the value of
UserAccountControl. With other options in this value, I have noticed that it
requires replication to occur before I will notice the change.

Any idea how to set this with a script?

http://support.microsoft.com/?id=305144

Thanks.

Bart Perrier
Torgeir Bakken (MVP)
2005-02-10 18:01:03 UTC
Permalink
Post by Bart Perrier
I am needing to set a large number of user accounts in an OU to prompt them
to change their password at next login. The accounts are currently disabled
giving me a value of 546. If my math is correct then I would expect the
value to be 8389154 with the pasword_expired value added.
When I set one of these accounts manually to Disabled and User must change
password at next logon, using the AD MMC, my value does not change as I
expect it to.
I am using the Active Directory Browser to verify the value of
UserAccountControl. With other options in this value, I have noticed that it
requires replication to occur before I will notice the change.
Any idea how to set this with a script?
http://support.microsoft.com/?id=305144
Hi

Based on ADS_USER_FLAG_ENUM documentation from
http://msdn.microsoft.com/library/en-us/adsi/adsi/ads_user_flag_enum.asp
(as well as the KB article 305144 you refer to)

546 is
512 (ADS_UF_NORMAL_ACCOUNT) + 32 (ADS_UF_PASSWD_NOTREQD) + 2 (ADS_UF_ACCOUNTDISABLE)

I assume you want 8389120
512 (ADS_UF_NORMAL_ACCOUNT) + 8388608 (ADS_UF_PASSWORD_EXPIRED)

But a problem is that setting the ADS_UF_PASSWORD_EXPIRED flag in the
userAccountControl attribute is not supported by Active Directory
Client Extension (a.k.a. the ADSI programming interface), see the
link I posted above.


What you can do to expire the password is setting the pwdLastSet
attribute to 0, so this code should do the trick:


'--------------------8<----------------------
' configure the user account to be "normal"
objUser.Put "userAccountControl", CLng(512)

' expire password
objUser.Put "pwdLastSet", CLng(0)

' update object
objUser.SetInfo
'--------------------8<----------------------
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
the 1328 page Scripting Guide:
http://www.microsoft.com/technet/scriptcenter/default.mspx
Bart Perrier
2005-02-14 15:28:29 UTC
Permalink
Thanks for the reply. That takes care of it for me.

Bart
Post by Torgeir Bakken (MVP)
Post by Bart Perrier
I am needing to set a large number of user accounts in an OU to prompt them
to change their password at next login. The accounts are currently disabled
giving me a value of 546. If my math is correct then I would expect the
value to be 8389154 with the pasword_expired value added.
When I set one of these accounts manually to Disabled and User must change
password at next logon, using the AD MMC, my value does not change as I
expect it to.
I am using the Active Directory Browser to verify the value of
UserAccountControl. With other options in this value, I have noticed that it
requires replication to occur before I will notice the change.
Any idea how to set this with a script?
http://support.microsoft.com/?id=305144
Hi
Based on ADS_USER_FLAG_ENUM documentation from
http://msdn.microsoft.com/library/en-us/adsi/adsi/ads_user_flag_enum.asp
(as well as the KB article 305144 you refer to)
546 is
512 (ADS_UF_NORMAL_ACCOUNT) + 32 (ADS_UF_PASSWD_NOTREQD) + 2
(ADS_UF_ACCOUNTDISABLE)
Post by Torgeir Bakken (MVP)
I assume you want 8389120
512 (ADS_UF_NORMAL_ACCOUNT) + 8388608 (ADS_UF_PASSWORD_EXPIRED)
But a problem is that setting the ADS_UF_PASSWORD_EXPIRED flag in the
userAccountControl attribute is not supported by Active Directory
Client Extension (a.k.a. the ADSI programming interface), see the
link I posted above.
What you can do to expire the password is setting the pwdLastSet
'--------------------8<----------------------
' configure the user account to be "normal"
objUser.Put "userAccountControl", CLng(512)
' expire password
objUser.Put "pwdLastSet", CLng(0)
' update object
objUser.SetInfo
'--------------------8<----------------------
--
torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway
Administration scripting examples and an ONLINE version of
http://www.microsoft.com/technet/scriptcenter/default.mspx
Loading...