Tuesday, January 11, 2011

VBScript: OU Users Password Never Expires

Due to a user migration project, my unit needed a quick way of removing "User must change password at next logon" setting caused by the migration tool for all users in a specific OU. Found that this setting is kept in AD under the userAccountControl property of the user object. Below is link that explains the values. One issue that needed a work around was disabled accounts. If you set the value for "Password Never Expires" then a disabled account is re-enabled, which wouldn't be a good thing for accounts that needed to say disabled. Solved this by a quick if statement that looks for only enabled accounts or accounts with the "User must change..." setting.

Active Directory userAccountControl Values

http://rajnishbhatia19.blogspot.com/2008/11/active-directory-useraccountcontrol.html


'***********************************************************************************
'Script Name: OU_Users_Password_Never_Expires.vbs
'Author: Dean Bunn
'Created: 01/10/11
'Description: Set All Enabled User Accounts in an OU to Password Never Expires
'***********************************************************************************

dim objOU, objUser, intPwdChg

intPwdChg = 66048

objOU="OU=staff,DC=mynetwork,DC=com"

set objOU = GetObject("LDAP://" & objOU)

for each objUser in objOU

if objUser.Class="user" Then

set objUser = GetObject("LDAP://" & objUser.distinguishedName)

if objUser.userAccountControl = 512 OR objUser.userAccountControl = 544 then

objUser.Put "userAccountControl", intPwdChg
objUser.setInfo

end if

end if

next

wscript.echo "All Done"