Force user to change password on next connection

[edouard37]

Hi everybody,

I've got an active directory in windows 2003.

I want to create an application with this one I can modify an attribute of an account (I choose before the account in a label).

This attribute is : At next logon, user must change password.

I've you got any ideas ???

Thank you.

Bye.

[edouard37]

Before I forget,

If I find the script in VBS, where is the converter vbs to autoit ? Does this method is ok ?

Thanks

[spudw2k]

VB can easily be converted to AutoIt. I don't know of a tool (but I bet someone made one) but there's tons of examples on this forum.

For starters, this script expires all user passwords in a Active Dir.

http://www.microsoft.com/technet/scriptcen...07/hey0516.mspx

edit: Conversion Example.

VBCode:

CODE

Set objOU = GetObject("LDAP://ou=Accounting,dc=fabrikam,dc=com")

objOU.Filter = Array("user")

For Each objUser in objOU

objUser.pwdLastSet = 0

objUser.SetInfo

Next

AutoItCode:

$objOU = ObjGet("LDAP://ou=Accounting,dc=fabrikam,dc=com")
Dim $filter[1] = ["user"]
$objOU.Filter = $filter

For $objUser in $objOU
    $objUser.pwdLastSet = 0
    $objUser.SetInfo
Next

Edited May 6, 2008 by spudw2k

[edouard37]

Ok, so i must to convert this code in autoit code...but I don't understand it :

Disables the User Cannot Change Password option, allowing the user to change their password.

Const ADS_ACETYPE_ACCESS_DENIED_OBJECT = &H6
Const CHANGE_PASSWORD_GUID  = _
    "{ab721a53-1e2f-11d0-9819-00aa0040529b}"
 
Set objUser = GetObject _
    ("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
Set objSD   = objUser.Get("nTSecurityDescriptor")
Set objDACL = objSD.DiscretionaryAcl
arrTrustees = Array("nt authority\self", "everyone")
 
For Each strTrustee In arrTrustees
    For Each ace In objDACL
        If(LCase(ace.Trustee) = strTrustee) Then
            If((ace.AceType = ADS_ACETYPE_ACCESS_DENIED_OBJECT) And _
               (LCase(ace.ObjectType) = CHANGE_PASSWORD_GUID)) Then
                   objDACL.RemoveAce ace
            End If
        End If
    Next
Next
 
objUser.Put "nTSecurityDescriptor", objSD
objUser.SetInfo

[spudw2k]

Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = Hex(6)
Const $CHANGE_PASSWORD_GUID  =  "{ab721a53-1e2f-11d0-9819-00aa0040529b}"

$objUser = ObjGet("LDAP://cn=myerken,ou=management,dc=fabrikam,dc=com")
$objSD   = $objUser.Get("nTSecurityDescriptor")
$objDACL = objSD.DiscretionaryAcl
$arrTrustees[2] = ["nt authority\self", "everyone"]

For $strTrustee In $arrTrustees
    For $ace In $objDACL
        If(StringLower($ace.Trustee) = $strTrustee) Then
            If(($ace.AceType = $ADS_ACETYPE_ACCESS_DENIED_OBJECT) And (StringLower($ace.ObjectType) = $CHANGE_PASSWORD_GUID)) Then
                   $objDACL.RemoveAce $ace
            EndIf
        EndIf
    Next
Next

$objUser.Put "nTSecurityDescriptor", $objSD
$objUser.SetInfo

[weaponx]

Shouldn't this...

Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = Hex(6)

be

Const $ADS_ACETYPE_ACCESS_DENIED_OBJECT = 0x6

Just for consistency.

&H64 does not equal Hex(64)...

Just change &H to 0x

[spudw2k]

Doh! you're right

[edouard37]

Excuse me. i've some problem with my computer. You're code is OK.

Thank you very much for the translation of code vbs to AU3. I understand so much the fonction

IF somebody need help, you can also see this link : Here

Bye.