Title: Set UserAccountControl
There are a couple of issues here
1. As was previously pointed out, these settings are
mutually exclusive. An account that is marked as "user must change password at
next logon" is, in reality, marked in the background as having an expired
password.
2. You can't read nor set the user must change password in
userAccountControl when using LDAP, now this is controlled by pwdLastSet. A
value of zero means that the account is currently in need of having a password
set on it or immediately expired. Any other value tells you when the password
was last set.
3. In your remark, you are backwards on the which flags are
which plus one is actually wrong. Password never expires is
ADS_UF_DONT_EXPIRE_PASSWD which is 0x10000 or 65536. 0x80000 (524288) is
ADS_UF_TRUSTED_FOR_DELEGATION which is quite different. I believe you might have
been shooting for 0x800000 (8388608) for ADS_UF_PASSWORD_EXPIRED, but again, in
AD and using LDAP this flag is not used.
To further expand on #1 and #2 above. Think about it
in terms of code flow. In Windows, the ADS_UF_DONT_EXPIRE_PASSWD flag is set to
tell the OS that a password on a given account never has to be changed because
it never expires. A value of zero in pwdLastSet is the hard mechanism of saying
an account is expired. A value in pwdLastSet that is equal to the date it was
the password expiration policy days ago is the soft mechanism for saying an
account is expired. When the OS looks at an account for expiration, the first
thing it will do is look at the flag to see if an account CAN be expired. If the
account is flagged with ADS_UF_DONT_EXPIRE_PASSWD there is no point in even
looking at pwdLastSet because its value means nothing to the
OS.
The preference, of course, is to not have non-expiring
userids at all. Why of course? Because people tend not to change them of course.
If you don't think that having passwords changed on a regular basis gives you
additional security, turn it off for your entire domain and forest, don't do it
for one off accounts. The thing is, most people believe that changing passwords
on a regular basis gives them addditional security by making it harder to guess
over the long term or cuts off people who found out the old password and no
longer have it now that it has changed. So you have this belief that changing
passwords makes you more secure yet you want to take some IDs, usually critical
admin or application IDs, and make them more insecure. The argument here that
often comes up is that you don't want to avoid changing passwords... of course
not, that would be silly, you actually just want to have better control of
changing passwords and not be forced to unless you are ready to.... My answer to
that... be ready sooner than the normal policy. Policy says you need to change
it every 90 days and you will be forced at that point, change it when you hit 60
days or 80 days or better yet, since this ID is so important, every 30 days. See
http://blog.joeware.net/2005/05/08/10/ for
a little more on this topic.
Since I wrote that blog entry it was suggested to me once
that setting a password expiration policy doesn't increase security and as never
proven to be so and is in fact simply a common misconception pushed forward
by various security groups and the industry as a whole but never really looked
at serious.Instead of a password expiration policy, it was said that you should
have a sufficient length and complexity policy to block brute force / guessing
techniques. I don't happen to agree with that argument but I can see where the
viewpoint is coming from and how setting an expiration policy too low it
can cause insecure reactions from users such as using a password template for
their passwords (password will be SomeGoodPassword1 then SomeGoodPassword2, or
Winter2005, Spring2006, Summer2006, etc).
joe
Hi,
Is there any possibility of setting both
properties?
"Password never expires" and "User must change
password at next logon"
I tried with this script, but i can't:
------------------------------
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
m=0
strOU = "cn=test,ou=usuarios,ou=XXXXXXX"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.Properties ("Size Limit")= 1001
objCommand.Properties ("Cache Results")=
False
objCommand.Properties("Page Size") =
1001
objCommand.CommandText = _
"<LDAP://"& strOU
&",dc=asp,dc=mundo-r,dc=com>;(objectCategory=user)" & _
";distinguishedName,name,mail,ADsPath;subtree"
Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
strADsPath = objRecordset.Fields("ADsPath")
Set objUser = GetObject(strADsPath)
objUser.Put
"UserAccountControl" , "524288" ' 0x80000 + 0x10200 = pass never exp
+ user must change
objUser.SetInfo
wscript.echo strADsPath & ";"
& objUser.UserAccountControl
m=m+1
objRecordSet.MoveNext
Wend
objConnection.Close
wscript.echo "Numero objetos afectados: " &m
------------------------------------------------------------------------------
Thanks,
Moncho
**************************************************************************************************
Este
mensaje se dirige exclusivamente a su destinatario. Puede
contener
información privilegiada, confidencial o legalmente protegida.
Si
ha recibido este mensaje por error le rogamos que lo borre inmediatamente, así
como todas sus copias, y lo comunique al remitente.
En virtud de la
legislación vigente está prohibida la utilización, divulgación, copia o
impresión sin autorización.
No existe renuncia a la confidencialidad o
privilegio por causa de una transmisión
errónea.
**************************************************************************************************
