none
Extend Users' Passwords

    Question

  • I have never had to use Active Directory or Group Policy, except to do basic stuff like unlock accounts, etc.

    Can anyone tell me how to extend all of my users' passwords?

    I am using WinServer 2008 R2.  We are almost done switching to AD from Novell.  During the transition, expiring passwords are causing a bunch of problems.  I want to extend all of my users' passwords so nobody will expire until we are completely finished with the transition.  In the Group Policy Management Editor, we changed the Maximum Password Age from 120 to 180 days.  This was applied to the container where all of our users are located, but we still have passwords expiring.  Does the 180 only get applied after the user changes their password next?  Or is there something I am missing.

     

    Thanks


    Chad L. Hutson
    Owner, CPU Vet
    www.cpuvet.com
    Monday, October 03, 2011 5:03 PM

Answers

  • Hi,

     GPOs with password policy settings must be linked at the domain level. If you are changing the settings for everyone, I would change the setting in the Default Domain Policy (this is one of the few settings that should be stored in that policy).

     Password policies can be configured to apply to groups of users using fine grained password policies but I'm not sure that's needed in your situation. If you want to learn more about this option, see: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

    Note that the time period is counted from when the user last changed their password so anyone who has had the same password for 180 days or more will still be prompted to change their password.

     

    Thanks,

    Guy

    Monday, October 03, 2011 5:48 PM
  • Hi,

     

    I agree with Guy Yardeni. In addition, you may also consider to reset the passwords for all the users, so that they will have 180 days before the passwords expire.

     

    To change the password for all the users in an OU, you may reference and modify the following VBScript sample:

     

    Dim oRootDSE ,oDomain ,obj, objUser, oConnection, oCommand 

    Dim RS, strQuery, strAlias, varDomainNC 

     

    On Error Resume Next 

    Set oRootDSE = GetObject("LDAP://RootDSE"

    varDomainNC = oRootDSE.Get("defaultNamingContext"

    set oConnection = CreateObject("ADODB.Connection"

    oConnection.Open "Provider=ADsDSOobject;" 

     

    varOU = "OU=Temp," 

     

    strQuery = "<LDAP://" & varOU & varDomainNC & ">;(objectclass=user);adspath;subtree" 

     

    set oCommand = CreateObject("ADODB.Command"

    oCommand.ActiveConnection = oConnection 

    oCommand.CommandText = strQuery 

     

    Set RS = oCommand.Execute 

    wscript.echo RS.RecordCount & " users found" 

    If RS.RecordCount = 0 Then 

        wscript.echo strAlias, "There are no users" 

    Else 

        While Not RS.EOF 

            Set objUser = GetObject(RS.Fields("adspath")) 

            wscript.echo "Alias:    " & objUser.name 

        objUser.SetPassword("Passw0rd"

        objUser.put "pwdlastset"0 

        objuser.setinfo 

            RS.MoveNext 

        Wend 

        wscript.echo "Password Reset Complete" 

        obj = Nothing 

        objUser = Nothing 

    End If 

     

    oRootDSE = Nothing 

    oDomain = Nothing 

    Set oConnection = Nothing 

    Set oCommand = Nothing 

    Set RS = Nothing 

     

    If you encounter any difficulties when customizing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

     

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

     

    For more information, please refer to the following Microsoft links:

     

    Change the Password for All the Users in an OU

    http://gallery.technet.microsoft.com/ScriptCenter/d8f02118-e63b-4fe8-8c1b-cf9f3848f5a3/

     

    Require Users to Change Their Password the Next Time They Logon

    http://gallery.technet.microsoft.com/ScriptCenter/fdd39062-f78b-4dea-bf1a-90739f53b38f/

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, October 04, 2011 7:48 AM

All replies

  • Hi,

     GPOs with password policy settings must be linked at the domain level. If you are changing the settings for everyone, I would change the setting in the Default Domain Policy (this is one of the few settings that should be stored in that policy).

     Password policies can be configured to apply to groups of users using fine grained password policies but I'm not sure that's needed in your situation. If you want to learn more about this option, see: http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx

    Note that the time period is counted from when the user last changed their password so anyone who has had the same password for 180 days or more will still be prompted to change their password.

     

    Thanks,

    Guy

    Monday, October 03, 2011 5:48 PM
  • For your reading entertainment.

    WHEN WILL THE PASSWORD EXPIRE FOR AN AD USER ACCOUNT AND WHAT HAPPENS THEN

    http://blogs.dirteam.com/blogs/jorge/archive/2011/02/13/when-will-the-password-expire-for-an-ad-user-account-and-what-happens-then.aspx

    PASSWORD POLICIES AND ACCOUNT LOCKOUT POLICIES WITHIN AN AD DOMAIN (PART 1)

    http://blogs.dirteam.com/blogs/jorge/archive/2010/09/28/password-policies-and-account-lockout-policies-within-an-ad-domain-part-1.aspx

    PASSWORD POLICIES AND ACCOUNT LOCKOUT POLICIES WITHIN AN AD DOMAIN (PART 2)

    http://blogs.dirteam.com/blogs/jorge/archive/2010/09/28/password-policies-and-account-lockout-policies-within-an-ad-domain-part-2.aspx

     


    Best regards Biswajit Biswas Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin
    Tuesday, October 04, 2011 2:18 AM
  • Hi,

     

    I agree with Guy Yardeni. In addition, you may also consider to reset the passwords for all the users, so that they will have 180 days before the passwords expire.

     

    To change the password for all the users in an OU, you may reference and modify the following VBScript sample:

     

    Dim oRootDSE ,oDomain ,obj, objUser, oConnection, oCommand 

    Dim RS, strQuery, strAlias, varDomainNC 

     

    On Error Resume Next 

    Set oRootDSE = GetObject("LDAP://RootDSE"

    varDomainNC = oRootDSE.Get("defaultNamingContext"

    set oConnection = CreateObject("ADODB.Connection"

    oConnection.Open "Provider=ADsDSOobject;" 

     

    varOU = "OU=Temp," 

     

    strQuery = "<LDAP://" & varOU & varDomainNC & ">;(objectclass=user);adspath;subtree" 

     

    set oCommand = CreateObject("ADODB.Command"

    oCommand.ActiveConnection = oConnection 

    oCommand.CommandText = strQuery 

     

    Set RS = oCommand.Execute 

    wscript.echo RS.RecordCount & " users found" 

    If RS.RecordCount = 0 Then 

        wscript.echo strAlias, "There are no users" 

    Else 

        While Not RS.EOF 

            Set objUser = GetObject(RS.Fields("adspath")) 

            wscript.echo "Alias:    " & objUser.name 

        objUser.SetPassword("Passw0rd"

        objUser.put "pwdlastset"0 

        objuser.setinfo 

            RS.MoveNext 

        Wend 

        wscript.echo "Password Reset Complete" 

        obj = Nothing 

        objUser = Nothing 

    End If 

     

    oRootDSE = Nothing 

    oDomain = Nothing 

    Set oConnection = Nothing 

    Set oCommand = Nothing 

    Set RS = Nothing 

     

    If you encounter any difficulties when customizing the scripts, you may submit a new question in The Official Scripting Guys Forum! which is a best resource for scripting related issues.

     

    The Official Scripting Guys Forum!

    http://social.technet.microsoft.com/Forums/en/ITCG/threads

     

    For more information, please refer to the following Microsoft links:

     

    Change the Password for All the Users in an OU

    http://gallery.technet.microsoft.com/ScriptCenter/d8f02118-e63b-4fe8-8c1b-cf9f3848f5a3/

     

    Require Users to Change Their Password the Next Time They Logon

    http://gallery.technet.microsoft.com/ScriptCenter/fdd39062-f78b-4dea-bf1a-90739f53b38f/

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, October 04, 2011 7:48 AM
  • The purpose of extending the password expiration for everyone is so I don't have to go help 40 people change their passwords.  Right now, I have to log them into one of the few Novell VMs that are left so they can change it in there and then they have to change it on MS also.  The next part of this project is to get Groupwise to authenticate using AD instead of Novell.  At that point, the user should be able to change their own password without any help.  Then I hope it won't be too long before we are on Outlook with Exchange.

    Could anyone provide a short, step-by-step procedure for extending the password expiration for every user on the domain?


    Chad L. Hutson
    Owner, CPU Vet
    www.cpuvet.com
    Tuesday, October 04, 2011 3:21 PM
  • Hi,

     

    I would like to confirm that have you tried the suggestions above and what is the current situation? If there is anything that I can do for you, please do not hesitate to let me know, and I will be happy to help.

     

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 17, 2011 3:37 AM