Basically how it works is an Active Directory domain has a property for expired passwords (last time pwd was set). When the property becomes a 0 that means the password has expired and must be changed. Upon changing the password this property gets set to the time of change. I'm not sure if this is documented, but if you set this property to -1 (if it is set to 0), it sets the current date/time as the last pwd changed time. If you set the property to -1 and the property is not 0, then nothing happens. So, we created an OU just for these service accounts and I made a script to do the rest. Here's my implementation.
#AutoIt3Wrapper_Change2CUI=y $objRootDSE = ObjGet("LDAP://RootDSE") $strDNSDomain = $objRootDSE.Get("DefaultNamingContext") $strContainer = "OU=Service_Accounts," & $strDNSDomain $objOU = ObjGet("LDAP://" & $strContainer ) For $objUser in $objOU ConsoleWrite($objUser.name & @CRLF) $objUsr = ObjGet("LDAP://" & $objUser.name & "," & $strContainer) $objUsr.Put("PwdLastSet", 0) $objUsr.SetInfo $objUsr.Put("PwdLastSet", -1) $objUsr.SetInfo Next
Here's one that works for Local Accounts.
#AutoIt3Wrapper_Change2CUI=y $objOU = ObjGet("WinNT://" & @ComputerName & "/Administrators") For $objUser in $objOU.Members ConsoleWrite($objUser.name & @CRLF) $objUsr = ObjGet("WinNT://" & @ComputerName & "/" & $objUser.name) If IsObj($objUsr) Then $objUsr.Put("PasswordExpired",1) $objUsr.SetInfo $objUsr.Put("PasswordExpired",0) $objUsr.SetInfo EndIf Next
Edited by spudw2k, 16 June 2010 - 11:40 PM.