These VBScript examples will enable you to set the users account to a known password. What's more, you can also set the account so
that once the user authenticates, they must change the password to a more secure password. This is a popular scripts for school and college administrators to run at the start of term.
Topics for User Must Change Password At Next Logon
Let us suppose that we want to force users to change their passwords at next logon. The solution is a VBScript that applies pwdLastSet = 0
to the user object. This has the same effect as setting the password option
manually in Active Directory Users and Computers. The result is that when users next logon, the operating system displays the change password dialog box.
If you need to deploy, 'The user must
change password at next logon', then one tactic that I recommend is to take the opportunity and script a new password. As this maybe the first time they have used your system,
the user will appreciate an easy password when to type in the Ctrl Alt Delete logon box.
Our plan is to divide the mission into two parts Set pwdLastSet = 0. (The
default is -1) Example 1 Set a new password. Example 2
I recommend that you logon as administrator, preferably at a domain controller. Alternatively, try Remote Desktop. If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?
Let us start with some easy successes.
Instructions for Changing a User's Password at Next Logon
You should run this VBScript on a Windows Active Directory domain.
Copy and paste the example script below into notepad or a VBScript editor.
Decide whether to change the value for strContainer. Naturally, you must create a user or two in the strContainer OU.
Save the file with a .vbs extension, for example: pwdLastSet .vbs.
Double click pwdLastSet .vbs and check the Users container for strUser.
Sample Script to Change User's Password at Next Logon
' PwdLastSet .vbs ' VBS PwdLastSet force user to change password at next logon ' Author Guy Thomas http://computerperformance.co.uk/ ' Version 1.1 - May 2010 '
-----------------------------------------------' Option Explicit Dim objOU, objUser, objRootDSE Dim strContainer, strDNSDomain Dim intCounter, intPwdValue
' Bind to Active
Directory Domain Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
' -----------------------------------------------' ' Important
change OU= to reflect your domain ' -----------------------------------------------' strContainer = "OU=Accounts, " strContainer = strContainer & strDNSDomain intCounter = 0 ' Here
we force a change of password at next logon intPwdValue = 0
' Loop through OU=, resetting all user accounts set objOU =GetObject("LDAP://" & strContainer ) For each objUser in objOU
If objUser.class="user" then objUser.Put "PwdLastSet", intPwdValue objUser.SetInfo End If intCounter = intCounter +1
Next
' Optional section to record how many accounts have been set WScript.Echo "PwdLastSet = " & intPwdValue _ & vbCr & "Accounts changed = " & intCounter WScript.Quit
Note 1: PwdLastSet is the key attribute (not pwdSetLast). If the value of PwdLastSet is set to zero then the user must change their
password when the logon. The .SetInfo method is the equivalent of you pressing the OK button on the Active Directory Users and Computers dialog box.
Note 2: You probably need to change the strContainer from 'OU=Accounts, " to one of your OUs. Did you notice the comma
at the end of this string?
Note 3: From a purely scripting point of view, the neat feature is the way that the example cycles through all the accounts in the strContainer. VBScript controls
this with a loop, For Each.... next.
Note 4: Hardly a script goes by without the need of the If... then end if construction. For this example we filter the objects with the If
objUser.Class = "User". My point is the that OU could also contain computers for which we have no need to set PwdLastSet.
Note 5: The Optional section, which launches Active Directory Users and
Computers, is my way of testing that the script is working.
Guy Recommends: SolarWinds' Free Bulk Import Tool
Import users from a spreadsheet. Just provide a list of the
users with their fields in the top row, and save as .csv file.
Then launch this FREE utility and match your fields with AD's
attributes, click and import the users.
Sample Script to Change User's Password at Next Logon and Reset the Password
' PwdLastSet Adv.vbs ' Sample VBScript to force a user to change password at next logon ' Also resets the password ' Author Guy Thomas http://computerperformance.co.uk/ '
Version 1.4 - May 2010 ' -----------------------------------------------' Option Explicit Dim objOU, objUser, objRootDSE, objShell Dim strContainer, strDNSDomain, strPassword Dim
intPwdValue
' Bind to Active Directory Domain Set objRootDSE = GetObject("LDAP://RootDSE") strDNSDomain = objRootDSE.Get("DefaultNamingContext")
'
-----------------------------------------------' ' Important change OU= to reflect your domain ' -----------------------------------------------' strContainer =
"OU=Accounts, " strPassword = "P@ssw0rd" strContainer = strContainer & strDNSDomain
' Here we force a change of password at next logon intPwdValue = 0
' Loop through OU=, setting
passwords for all users set objOU =GetObject("LDAP://" & strContainer ) For each objUser in objOU If objUser.class="user" then objUser.SetPassword strPassword objUser.Put "PwdLastSet",
intPwdValue objUser.SetInfo End If Next ' Optional section to launch Active Directory Uses and Computers Set objShell=CreateObject("WScript.Shell") objShell.Run "%systemroot%\system32\dsa.msc"
WScript.Quit
' End of Sample PwdLastSet Advanced VBScript
VBS PwdLastSet - Learning Points
Note 1: This script builds on Example 1 by adding SetPassword.
Note 2: You only need one .SetInfo. If you remember this is the equivalent of pressing the OK button on the
dialog box.
Note 3: Once again make sure you use pwdLastSet not pwdSetLast
For those occasions when you need to force users to reset their passwords, PwdLastSet triggers the operating system to display the
necessary logon dialog boxes.
If you like this page then please share it with your friends
Windows Management Instrumentation (WMI) is
most useful for PowerShell scripting.
SolarWinds
have produced this
Free WMI Monitor to take the guess work out of which
WMI counters to use for applications like Microsoft Active Directory,
SQL or Exchange Server.
