Guy’s Scripting Ezine 50 – pwdLastSet

Contents for Guy’s Scripting Ezine 50 – pwdLastSet


This Week’s Secret

This time last year, I never thought that we would get to 50 editions of my ezine.  Next week I am planning to celebrate with an ebook of all 50 ezines, naturally it will be free.  My only worry is making sure that all subscribers get a copy and that is why I set the default ezine to plain text this week.  So if you don’t like plain text then please edit your preferences.

Last week I could not help noticing that 5 emails in a row came from people whose first language was not English.  I felt humble because I cannot speak, let alone write, in French, German, Spanish or Italian.  My other feeling was how lucky I am to be raised in a country whose language has been adopted by much of the web.

This week’s theme is readers’ letters

One of the true joys of editing an ezine is opening the letters that people send in. Your readers’ letters really compliment my rough and ready style with my, ‘let’s get started’ mantra. On the one hand, I guess people feel nothing is too simple to write about, while on the other hand people are not shy to point out improvements to my scripts. Here are some examples that I would like to share with you.

Ulrich P has sent in a neat improvement for my Set Password Script.  In fact, Ulrich’s VBScript is the main feature this week’s ezine.

Stephane has send me the URL of his site which creates custom ActiveX components.  I would like to know more of this application of VBscript myself.

Mark P. emailed me with the worlds toughest  800 code error: 0x80041001  "Call failed".  This wins the biscuit for the most obscure and least helpful of the code error messages.  In fact the whole 080041xxx series are all pretty low on information.  I will investigate and post any updates in my Code 800 section of the web site.

John G.  Has finally found a way of mapping printers before users logon.  This is his idea:
rundll32 printui.dll,PrintUIEntry /b "DisplayPrinterName on http" /x /n "part of the n switch" /if /f %windir%\inf\ntprint.inf /r
"http: //hostname/printers/sharename/.printer" /m "printer name"

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v11.5 v11.5

SolarWinds’ Orion performance monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

What I like best is the way NPM suggests solutions to network problems.  Its also has the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you try NPM now.

Download a free trial of Solarwinds’ Network Performance Monitor

This Week’s Mission – master pwdLastSet

Suppose you want to force users to change their passwords at next logon.  The secret is to employ pwdLastSet = 0 which triggers Active Directory to display the change password dialog box.  One tactic could be that you could email new users with an ‘easy’ password, but then ensure they secure their user account by choosing a new password which is only known to themselves.


  1. Important: Which OU will use?  My script uses OU=accounts.  Either create such an OU, or change the script to reflect YOUR ou=????????.
  2. Make sure the OU has 2 or 3 users.  If you test the script on a server, grant the users the right to logon locally.  (Make them a member of the Server Operators group).
  3. Copy and paste the script below into notepad.
  4. Save the file with .vbs extension e.g. PwdLastSet.vbs.
  5. Double click and examine the message boxes.
  6. Attempt to logon as a user in your OU=

‘ PwdLastSet.vbs
‘ Example VBScript to FORCE a user’s password change
‘ Author Ulrich P amended by Guy Thomas
‘ Version 2.0 – October 17th 2004
‘ ———————————————————‘
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, strPassword
Dim intCounter, intAccValue, intPwdValue

Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
intAccValue = 544
intPwdValue = 0

‘ ——————————————————–‘
‘ Important change OU= to reflect your domain
‘ ——————————————————–‘

strContainer = "OU=Accounts, "
strPassword = "P@ssw0rd"

‘ ——————————————————-‘
‘ Makes the user change P@ssw0rd at first logon
‘ ——————————————————-‘

strContainer = strContainer & strDNSDomain

set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user" then
objUser.SetPassword strPassword

objUser.Put "pwdLastSet", intPwdValue

objUser.Put "userAccountControl", intAccValue
intCounter = intCounter +1
strLastUser = objUser.Get ("name")
End if

WScript.Echo strPassword & " is Password. UserAccountValue = " _
& intAccValue

‘  End of Script

Learning Points

Note 1: The change password part of the script was featured in Ezine 23, I have now added an extra section which sets UserAccountControl values.

Note 2: In order to work properly, UserAccountControl = 544 must also have: pwdLastSet = 0.  Do feel free to experiment with other UserAccountControl settings.  If you find anything interesting do let me know.

Note 3: If you are troubleshooting your own script, check strContainer = "OU=Accounts, "
Also if you are testing on a server, ensure that the user can logon locally.

Note 4: Try the script without the following two lines.  (I use an ‘ [apostrophe] to rem out the lines.)

objUser.Put "pwdLastSet", intPwdValue

Note 5: When you set pwdLastSet to zero it forces users to change their passwords at next logon.

Note 6: Admire the construction:  For Each… next.

Note 7: The statement:  If objUser.class="user" then..  is designed to filter out users from other objects such as computers.  Did you spot the End if?

Note 8: Experiment with variations of the WScript.Echo command.


Summary pwdLastSet

PwdLastSet is a useful addition to your changing password toolkit.  What this command does is force users to change their password at next logon.  Naturally, to get the user to change their password, you need to set a value of zero.

See More Active Directory VBScripts for Passwords

• User Spreadsheet  • Add Users to Groups  • Create Users  • Free CSV Importer  • Ezines

Ezine 11 Password  • Ezine 22 Password  • Ezine 50 PwdSetLast • VBS PwdLastSet

Ezine 128 IUSR Passwords  • VBScript change password  • Log Management  • Tool Kit