Computer Performance, VBScript

VBS PwdLastSet

User Must Change Password At Next Logon

These VBScript examples will enable you to set the users account to a known password.  What's more, you can also set the account so that once the user authenticates, they must change the password to a more secure password.  This is a popular scripts for school and college administrators to run at the start of term. 

Topics for User Must Change Password At Next Logon

 ♦

Our Mission and Goals For VBS PwdLastSetExample Script pwdlastset to set ' The User Must Change Password at Next Logon '

Let us suppose that we want to force users to change their passwords at next logon.  The solution is a VBScript that applies pwdLastSet = 0 to the user object.  This has the same effect as setting the password option manually in Active Directory Users and Computers.  The result is that when users next logon, the operating system displays the change password dialog box.

If you need to deploy, 'The user must change password at next logon', then one tactic that I recommend is to take the opportunity and script a new password.  As this maybe the first time they have used your system, the user will appreciate an easy password when to type in the Ctrl Alt Delete logon box.

Our plan is to divide the mission into two parts
Set pwdLastSet = 0.   (The default is -1) Example 1
Set a new password.  Example 2

Example 1 - Vbscript User Must Change Password at Next Logon

Prerequisites

I recommend that you logon as administrator, preferably at a domain controller.  Alternatively, try Remote Desktop.  If all else fails, you can try these script on an XP machine as a non-administrator, but why introduce extra complications?  Let us start with some easy successes.

Instructions for Changing a User's Password at Next Logon

  1. You should run this VBScript on a Windows Active Directory domain.
  2. Copy and paste the example script below into notepad or a VBScript editor.
  3. Decide whether to change the value for strContainer.  Naturally, you must create a user or two in the strContainer OU.
  4. Save the file with a .vbs extension, for example: pwdLastSet .vbs.
  5. Double click pwdLastSet .vbs and check the Users container for strUser.

Sample Script to Change User's Password at Next Logon

 

' PwdLastSet .vbs
' VBS PwdLastSet force user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2010
' -----------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -----------------------------------------------'
' Important change OU= to reflect your domain
' -----------------------------------------------'
strContainer = "OU=Accounts, "
strContainer = strContainer & strDNSDomain
intCounter = 0
' Here we force a change of password at next logon
intPwdValue = 0

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
   If objUser.class="user" then
      objUser.Put "PwdLastSet", intPwdValue
      objUser.SetInfo
   End If
intCounter = intCounter +1
Next

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit

' End of Sample PwdLastSet VBScript

VBS PwdLastSet Tutorial - Learning Points

Note 1:  PwdLastSet is the key attribute (not pwdSetLast).  If the value of PwdLastSet is set to zero then the user must change their password when the logon.  The .SetInfo method is the equivalent of you pressing the OK button on the Active Directory Users and Computers dialog box.

Note 2:  You probably need to change the strContainer from 'OU=Accounts, " to one of your OUs.  Did you notice the comma at the end of this string?

Note 3:  From a purely scripting point of view, the neat feature is the way that the example cycles through all the accounts in the strContainer.  VBScript controls this with a loop, For Each.... next.

Note 4:  Hardly a script goes by without the need of the If... then end if construction.  For this example we filter the objects with the If objUser.Class = "User".  My point is the that OU could also contain computers for which we have no need to set PwdLastSet.

Note 5:  The Optional section, which launches Active Directory Users and Computers, is my way of testing that the script is working.

Guy Recommends:  SolarWinds' Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD's attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

Sample Script to Change User's Password at Next Logon and Reset the Password

 

' PwdLastSet Adv.vbs
' Sample VBScript to force a user to change password at next logon
' Also resets the password
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.4 - May 2010
' -----------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE, objShell
Dim strContainer, strDNSDomain, strPassword
Dim intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -----------------------------------------------'
' Important change OU= to reflect your domain
' -----------------------------------------------'
strContainer = "OU=Accounts, "
strPassword = "P@ssw0rd"
strContainer = strContainer & strDNSDomain

' Here we force a change of password at next logon
intPwdValue = 0

' Loop through OU=, setting passwords for all users
set objOU =GetObject("LDAP://" & strContainer )
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
Next
' Optional section to launch Active Directory Uses and Computers
Set objShell=CreateObject("WScript.Shell")
objShell.Run "%systemroot%\system32\dsa.msc"

WScript.Quit

' End of Sample PwdLastSet Advanced VBScript

VBS PwdLastSet - Learning Points

Note 1: This script builds on Example 1 by adding SetPassword. 

Note 2: You only need one .SetInfo.  If you remember this is the equivalent of pressing the OK button on the dialog box.

Note 3: Once again make sure you use pwdLastSet not pwdSetLast

Summary for PwdLastSet

For those occasions when you need to force users to reset their passwords, PwdLastSet triggers the operating system to display the necessary logon dialog boxes.

If you like this page then please share it with your friends

 


See more VBScript examples:

VBScript create users   • VBScript create contact   • Create contact Exchange   • VBS PwdLastSet

VBScript create computer   • PowerShell create computer from spreadsheet   • Free Import Users Tool

VBScript change password  • VBScript to create group   • SolarWinds Free WMI Monitor

 *


Custom Search

Site Home

Guy Recommends: WMI Monitor for PowershellSolarwinds WMI Monitor

Windows Management Instrumentation (WMI) is most useful for PowerShell scripting.

SolarWinds have produced this Free WMI Monitor to take the guess work out of which WMI counters to use for applications like Microsoft Active Directory, SQL or Exchange Server.

Download your free copy of WMI Monitor

Author: Guy Thomas Copyright © 1999-2017 Computer Performance LTD All rights reserved.

Please report a broken link, or an error to: