Tuesday, January 11, 2011

VBScript: OU Users Password Never Expires

Due to a user migration project, my unit needed a quick way of removing "User must change password at next logon" setting caused by the migration tool for all users in a specific OU. Found that this setting is kept in AD under the userAccountControl property of the user object. Below is link that explains the values. One issue that needed a work around was disabled accounts. If you set the value for "Password Never Expires" then a disabled account is re-enabled, which wouldn't be a good thing for accounts that needed to say disabled. Solved this by a quick if statement that looks for only enabled accounts or accounts with the "User must change..." setting.

Active Directory userAccountControl Values


'Script Name: OU_Users_Password_Never_Expires.vbs
'Author: Dean Bunn
'Created: 01/10/11
'Description: Set All Enabled User Accounts in an OU to Password Never Expires

dim objOU, objUser, intPwdChg

intPwdChg = 66048


set objOU = GetObject("LDAP://" & objOU)

for each objUser in objOU

if objUser.Class="user" Then

set objUser = GetObject("LDAP://" & objUser.distinguishedName)

if objUser.userAccountControl = 512 OR objUser.userAccountControl = 544 then

objUser.Put "userAccountControl", intPwdChg

end if

end if


wscript.echo "All Done"