Computer Performance, VBScript

Google

Web Search Site

3CX Phone System for Windows - VOIP IP PBX

3CX Phone System for Windows -
VOIP IP PBX

Get your 5 free applications now

Application Publishing with 2X ApplicationServer

How to Script: User Must Change Password at Next Logon

Guy recommends:
VBScript Training Video on CD

Computer Training Software

Tutorial forcing a User to Change their Password and Next Logon

These VBScript examples will enable you to set the users account to a known password.  What's more, you can also set the account so that once the user authenticates, they must change the password to a more secure password.  This is a popular scripts for school and college administrators to run at the start of term.

Topics for Changing a User's Password at Next Logon

Our Mission and Goals

Let us suppose that we want to force users to change their passwords at next logon.  The solution is a VBScript that applies pwdLastSet = 0 to the user object.  This has the same effect as setting the password option manually in Active Directory Users and Computers.  The result is that when users next logon, the operating system displays the change password dialog box.

If you need to deploy, 'The user must change password at next logon', then one tactic that I recommend is to take the opportunity and script a new password.  As this maybe the first time they have used your system, the user will appreciate an easy password when to type in the Ctrl Alt Delete logon box.

Our plan is to divide the mission into two parts
Set pwdLastSet = 0.   (The default is -1) Example 1
Set a new password.  Example 2

®

Example 1 - Changing a User's Password at Next Logon

Prerequisites

I recommend that you logon as administrator, preferably at a domain controller.  Alternatively, try Remote Desktop.  If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?  Let us start with some easy successes.

Instructions for Changing a User's Password at Next Logon

  1. You should run this VBScript on a Windows Active Directory domain.
  2. Copy and paste the example script below into notepad or a VBScript editor.
  3. Decide whether to change the value for strContainer.  Naturally, you must create a user or two in the strContainer OU.
  4. Save the file with a .vbs extension, for example: pwdLastSet .vbs.
  5. Double click pwdLastSet .vbs and check the Users container for strUser.

Sample Script to Change User's Password at Next Logon

 

 

' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "OU=Accounts, "
strContainer = strContainer & strDNSDomain
intCounter = 0
' Here we force a change of password at next logon
intPwdValue = 0

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
   If objUser.class="user" then
      objUser.Put "PwdLastSet", intPwdValue
      objUser.SetInfo
   End If
intCounter = intCounter +1
Next

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit

' End of Sample PwdLastSet VBScript

VBScript Tutorial - Learning Points

Note 1:  PwdLastSet is the key attribute (not pwdSetLast).  If the value of PwdLastSet is set to zero then the user must change their password when the logon.  The .SetInfo method is the equivalent of you pressing the OK button on the Active Directory Users and Computers dialog box.

Note 2:  You probably need to change the strContainer from 'OU=Accounts, " to one of your OUs.  Did you notice the comma at the end of this string?

Note 3:  From a purely scripting point of view, the neat feature is the way that the example cycles through all the accounts in the strContainer.  VBScript controls this with a loop, For Each.... next.

Note 4:  Hardly a script goes by without the need of the If... then end if construction.  For this example we filter the objects with the If objUser.Class = "User".  My point is the that OU could also contain computers for which we have no need to set PwdLastSet.

Note 5:  The Optional section, which launches Active Directory Users and Computers, is my way of testing that the script is working.

ˇ

Sample Script to Change User's Password at Next Logon and Reset the Password

 

 

' PwdLastSet Adv.vbs
' Sample VBScript to force a user to change password at next logon
' Also resets the password
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.4 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE, objShell
Dim strContainer, strDNSDomain, strPassword
Dim intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "OU=Accounts, "
strPassword = "P@ssw0rd"
strContainer = strContainer & strDNSDomain

' Here we force a change of password at next logon
intPwdValue = 0

' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
' Optional section to launch Active Directory Uses and Computers
Set objShell=CreateObject("WScript.Shell")
objShell.Run "%systemroot%\system32\dsa.msc"

WScript.Quit

' End of Sample PwdLastSet Advanced VBScript

VBScript Tutorial - Learning Points

Note 1: This script builds on Example 1 by adding SetPassword. 

Note 2: You only need one .SetInfo.  If you remember this is the equivalent of pressing the OK button on the dialog box.

Note 3: Once again make sure you use pwdLastSet not pwdSetLast

Summary for PwdLastSet

For those occasions when you need to force users to reset their passwords, PwdLastSet triggers the operating system to display the necessary logon dialog boxes.

Computer Training Software - Recommended Training VideosGuy Thomas recommends Computer Training Software.  Their topics and material are ideal for getting you started with VBScript.  The videos are easy to follow and you can control the pace.  Try their free demo material and then see if you want to buy the full package. See more about VB Script Training CD.

See Also

 ● Set Password for user account     ● userAccountControl to enable accounts  


Introduction to VBScriptDownload my eBook:  Introduction to VBScript - only  $6.25

25+ scripts to get you started with VBScript.  Topics include Active Directory, Network, WMI, File System Object and the Registry.

In addition to the ebook, you get a PDF and a Word version of Introduction to VBScript.

 

 

 

 .

Google

WebComputerperformance.co.uk

GFi Events Manager

Guy Recommends: GFi EventsManager

Here is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network.  Get your free evaluation copy of GFI EventsManager.

 

Home Copyright © 1999-2008 Computer Performance LTD All rights reserved

Please report a broken link, or an error.