Jump to content
Sign in to follow this  
edouard37

Force user to change password on next connection

Recommended Posts

edouard37

Hi everybody,

I've got an active directory in windows 2003.

I want to create an application with this one I can modify an attribute of an account (I choose before the account in a label).

This attribute is : At next logon, user must change password.

I've you got any ideas ???

Thank you.

Bye.

Share this post


Link to post
Share on other sites
edouard37

Before I forget,

If I find the script in VBS, where is the converter vbs to autoit ? Does this method is ok ?

Thanks

Share this post


Link to post
Share on other sites
spudw2k

VB can easily be converted to AutoIt. I don't know of a tool (but I bet someone made one) but there's tons of examples on this forum.

For starters, this script expires all user passwords in a Active Dir.

http://www.microsoft.com/technet/scriptcen...07/hey0516.mspx

edit: Conversion Example.

VBCode:

CODE
Set objOU = GetObject("LDAP://ou=Accounting,dc=fabrikam,dc=com")

objOU.Filter = Array("user")

For Each objUser in objOU

objUser.pwdLastSet = 0

objUser.SetInfo

Next

AutoItCode:
$objOU = ObjGet("LDAP://ou=Accounting,dc=fabrikam,dc=com")
Dim $filter[1] = ["user"]
$objOU.Filter = $filter

For $objUser in $objOU
    $objUser.pwdLastSet = 0
    $objUser.SetInfo
Next
Edited by spudw2k

Share this post


Link to post
Share on other sites
edouard37

Ok, so i must to convert this code in autoit code...but I don't understand it :

Disables the User Cannot Change Password option, allowing the user to change their password.

Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID  = _
    "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
 
Set objUser = GetObject _
    ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD   = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = Array("nt authority\self", "everyone")
 
For Each strTrustee In arrTrustees
    For Each ace In objDACL
        If(LCase(ace.Trustee) = strTrustee) Then
            If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
               (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
                   objDACL.RemoveAce ace
            End If
        End If
    Next
Next
 
objUser.Put "nTSecurityDescriptor", objSD
objUser.SetInfo

Share this post


Link to post
Share on other sites
spudw2k

Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = Hex(6)
Const $CHANGE_PASSWORD_GUID  =  "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

$objUser = ObjGet("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
$objSD   = $objUser.Get("nTSecurityDescriptor")
$objDACL = objSD.DiscretionaryAcl
$arrTrustees[2] = ["nt authority\self", "everyone"]

For $strTrustee In $arrTrustees
    For $ace In $objDACL
        If(StringLower($ace.Trustee) = $strTrustee) Then
            If(($ace.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) And (StringLower($ace.ObjectType) = $CHANGE_PASSWORD_GUID)) Then
                   $objDACL.RemoveAce $ace
            EndIf
        EndIf
    Next
Next

$objUser.Put "nTSecurityDescriptor", $objSD
$objUser.SetInfo

Share this post


Link to post
Share on other sites
weaponx

Shouldn't this...

Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = Hex(6)

be

Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6

Just for consistency.

&H64 does not equal Hex(64)...

Just change &H to 0x

Share this post


Link to post
Share on other sites
spudw2k
edouard37

Excuse me. i've some problem with my computer. You're code is OK.

Thank you very much for the translation of code vbs to AU3. I understand so much the fonction

IF somebody need help, you can also see this link : Here

Bye.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×