Active Directory - change password at 1st login using AD.UDF

lewisg · August 11, 2024

Using Waters great AD.UDF to create Active Directory users I can't seem to force a password change at the first login. Creation, permissions, group addition, etc. all work as expected, just no prompt at the first login to change their password.

I'm setting:

_AD_EnablePasswordExpire($distinguishedName)

_AD_SetPassword($distinguishedName, $password, 1)

_AD_EnablePasswordChange($distinguishedName)

They all return 1 so I'm sure there is no issues with the syntax.

Running both compiled and through SciTE fail.

Using ----- AutoIT 3.3.14.5 UDF Version 1.6.1.0 SciTE 5.4.0

water · August 11, 2024

Can you please post the code you use to create the AD users?

lewisg · August 11, 2024

The whole script is over 1100 lines and works flawlessly except a new password prompt after the new user first logs in. Much of the script is error checking and logging so I can look back and see if there is a problem and also document all the new user's information. The pertinent AD user creation sub is:

$RepondCreateUser = _AD_CreateUser($P_OU_Destination, $P_SamAccountName, $P_displayName) ; Create the User in AD ****Here the user is created******
    Sleep(500)




    $RepondEnablePasswordExpire = _AD_EnablePasswordExpire($P_distinguishedName)    ; Needed so user MUST change password at first logon as set by the "1" in next line
    ProgressSet(5, "5%", "Enabling Password Expire")                                ; Set the "subtext" and "maintext" of the progress bar window.
    Sleep(250)
    If $RepondEnablePasswordExpire = 1 Then
        _Log_Report($hLog, 'Successfully set Enable Password Expire', @ScriptLineNumber)
    Else
        _Log_Report($hLog, 'ERROR!! Unsuccessfully Set Enable Password Expire', @ScriptLineNumber)
    EndIf

    $RepondSetPassword = _AD_SetPassword($P_distinguishedName, $P_Password, 1)      ; Sets a user's password and the "1" forces a Password change
    ProgressSet(10, "10%", "Setting User Password")                                 ; Set the "subtext" and "maintext" of the progress bar window.
    Sleep(250)
    If $RepondSetPassword = 1 Then
        _Log_Report($hLog, 'Successfully set User Password to = ' & $P_Password, @ScriptLineNumber)
    Else
        _Log_Report($hLog, 'ERROR!! Unsuccessfully Set User Password to = ' & $P_Password, @ScriptLineNumber)
    EndIf

    $RepondEnablePasswordChange = _AD_EnablePasswordChange($P_distinguishedName)    ; Disables the 'User Cannot Change Password' option, allowing the user to change their password.
    ProgressSet(15, "15%", "Enabling Password Change")                              ; Set the "subtext" and "maintext" of the progress bar window.
    Sleep(250)
    If $RepondEnablePasswordChange = 1 Then
        _Log_Report($hLog, 'Successfully set Enable Password Change', @ScriptLineNumber)
    Else
        _Log_Report($hLog, 'ERROR!! ERROR!! Unsuccessfully Set Enable Password Change', @ScriptLineNumber)
    EndIf

Blah, blah, blad, etc. set more user attributes........

Edited August 11, 2024 by lewisg

water · August 14, 2024

I can't see any errors in your script.
I hope to get my hands on the onboarding script we used in the company I have been working for.
Due to the holiday period, this may take some time.
Please stay tuned

water · August 16, 2024

Maybe we used PowerShell to do some parts of the user configuration. We had problems with automatic Exchange mailbox creation and had to use PS to solve this problems.
It could be that password expiration was set using PS as well.

Set-Aduser -ChangePasswordAtLogon $true

should do the trick.
It is possible that _AD_SetPassword never worked properly and you are the first to notice 🤔

If I can get my hands on the onboarding script we used in the company I have been working for I will let you know.

Edited August 16, 2024 by water

lewisg · August 17, 2024

Thanks for looking Water. My boss mention that it use to work and force a password change. We've really tighten password policies and perhaps that has made things get strange. Looking at the AD attribute "pwdLastSet" it's set to 0x0 that I believe is the toggle for Change Password at Logon, so it seems like everything is set to force a password change. That is also, I think, the same attribute that that the PowerShell command you mentioned toggles.

I'll continue trying fixes and report back.

water · August 19, 2024

👍

rudi · August 21, 2024

just short time ago we also had the requirement to enforce an ASAP password change for a large subset of all users.

We came accross the issue, that this user property has to be set to $False, it is otherwise a constraint to enforce a password change:

Set-ADUser YourAD\ThisUser -CannotChangePassword:$False

lewisg · August 23, 2024

Thanks for the respond rudi. Double checked my script and that is being set with Water's function "_AD_EnablePasswordChange"

Sign In

Active Directory - change password at 1st login using AD.UDF

Recommended Posts

lewisg

water

lewisg

water

water

lewisg

water

rudi

lewisg

Create an account or sign in to comment

Create an account

Sign in

Recently Browsing 0 members

Browse

AutoIt Resources

Release

Beta