Re: How To Enabling a Password Policy
From: B. Goodman (no@spam.org)
Date: 03/28/03
- Next message: Jeff Fehrman: "Permissions after chkdsk"
- Previous message: B. Goodman: "Re: How To Enabling a Password Policy"
- In reply to: Vanguyver: "How To Enabling a Password Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: B. Goodman <no@spam.org> Date: Fri, 28 Mar 2003 17:11:21 -0500
CORRECTED LAST POST--
THE Script I just posted mistakenly had "MustChangePasswords" rather
than "MustChangePassword", so it wasn't taking effect. Sorry.
In article <2c3b01c2eff9$b130b650$a101280a@phx.gbl>,
vanguyver@evansville.edu says...
> I have a problem; I do not want to force all my users to
> change their passwords but just certain groups with
> higher administrative rights. I work for a small
> University and security for the student logons are not
> required. All of the IT department staff members are
> required to have a more secure password than other
> departments such as the registrar's office. Could
> someone please help me? Everything I have seen with
> passwords is on the system configuration side not the
> user side.
>
If you're game, you could TEST the batch file below. I have done only
limited testing running this on a Win2K Pro workstation to force admins
to change their passwords over X days old (set on PDC).
Copy everything below into a batch file. You will also need to have
netpwage.exe, cusrmgr.exe, and showgrps.exe (see comments below) in your
path or in the same directory as this batch file. You also need to set
your PDC name near the top of the script (set pdc=ENTER THE NAME OF YOUR
PDC, e.g.
set pdc=ZEUS
Note that I just whipped this up. It has NEVER been run in a production
environment. You will likely have to adjust it. This is just something
you can play with. THERE IS NO WARRANTY, EXPRESS OR IMPLIED. I AM NOT
A PROGRAMMER. Be very careful.
All I ask is that you let me know if it works for you. GOOD LUCK!
::BETA BETA BETA BETA BETA
::TEST THIS CAREFULLY IN A LAB BEFORE ATTEMPTING TO DEPLOY
::Force Password Change for Admins whose password are over X days old
::Run by double-clicking, or use scheduled tasks
::Use at your own risk!! NO WARRANTY, EXPRESS OR IMPLIED!!
::Requires netpwage.exe, see
http://www.jsiinc.com/SUBH/tip3900/rh3988.htm
::Requires cusrmgr.exe and showgrps.exe from Windows 2000 Resource Kit
::You MUST set your PDC
@echo off
set workfile=.\work.txt
set results=.\results.txt
set domain=%userdomain%
set pdc=ENTER THE NAME OF YOUR PDC
::Set variable age to number of days
set age=45
if exist %results% del /q %results%
netpwage.exe /users /min:%age% /b /tabs > %workfile%
pause
::For each user in %workfile%, see if admin. Pass admins to ISADMIN
routine
for /f %%a IN (%workfile%) do showgrps.exe %domain%\%%a | findstr /i
admin && call :isadmin %%a
goto END
:ISADMIN
echo %1 %pdc% %domain%
::Avoid admins whose accounts are set never to expire. These may be
service accounts.
::Pass admins whose passwords CAN expire to EXPIRE routine
net user %1 /domain | findstr /i /c:"Password expires
Never" || call :expire %1
goto :EOF
:EXPIRE
echo MUST CHANGE %1 %pdc% %domain%
cusrmgr -u %1 -m \\%pdc% +S MustChangePassword && echo %domain%\%1
SUCCESS >> %results% || echo %domain%\%1 FAILURE >> %results%
goto :EOF
:END
pause
- Next message: Jeff Fehrman: "Permissions after chkdsk"
- Previous message: B. Goodman: "Re: How To Enabling a Password Policy"
- In reply to: Vanguyver: "How To Enabling a Password Policy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
