Re: Enabling forced password change on next logon

If you have a Windows 2003 domain controller you modify that user attribute
en mass for users. If you do not you still can install the Windows 2003
adminpak [free download from Microsoft] on an XP Pro domain member computer
that should be known to be a secure admin workstation and then use the
Active Directory command line tools to do what you want as shown in the
example below of using the commands to change password attribute for users
in an OU. You might find that accounts that are set to password never
expirers may need to have that attribute changes first though if you want
them to change password also. Be sure to test out on an OU with a few test
users. You can pipe the results of one command to the dsmod command . As
always it is best to have a current backup of the System State of a domain
controller in case things do not go as planned so that you can at least get
back to where you were with an authoritative restore of Active
Directory. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
--- Directory Service command line tools

F:\Documents and Settings\administrator.UMBACH1.000>dsquery user
OU=nyt,dc=umba
h1,dc=com | dsmod user -mustchpwd yes

dsmod succeeded:CN=john,OU=nyt,DC=umbach1,DC=com
dsmod succeeded:CN=tom,OU=nyt,DC=umbach1,DC=com
dsmod succeeded:CN=joe,OU=nyt,DC=umbach1,DC=com
dsmod succeeded:CN=fox,OU=nyt,DC=umbach1,DC=com
dsmod succeeded:CN=fred,OU=nyt,DC=umbach1,DC=com




"Ping" <Ping@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9E4C385D-EED3-4D3F-A37C-5917AEA8EF32@xxxxxxxxxxxxxxxx
> Is there a way I can enable all domain users to change their passwords at
> the
> next logon?
> We have a new web app that we are rolling out that integrates w/AD and we
> want all domain users to be forced to change their passwords at the next
> logon.
>
> Thanx.


.

Relevant Pages

  • Re: Huh? "Login failure: the user has not been granted the requested logon type at this compute
    ... I'm a pretty experienced Windows user and programmer, ... the user has not been granted the requested logon type ... on the appropriate OU to see the Group Policy for that OU]. ... > administrators' group to the domain controller. ...
    (microsoft.public.security)
  • Re: Second DC cannot authenticate to other DC
    ... Disconnect any mapped drives that might already exist between the two DCs ... If it still fails to connect open the command ... > the SBS domain controller results in a logon prompt. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Remote User Needs to Change PWD without connecting to domain
    ... On our windows NT machines users receive the no domain controller ... With Windows 2000 User DO NOT receive any notification. ... >> When they would take the laptop in the field they were unable to logon ...
    (microsoft.public.win2000.security)
  • Re: Domain authenticating non-domain accounts
    ... I limited the tests to Windows ... a machine running Windows 98 can still access file shares ... for a logon but were able to authenticate me as long as I entered the same ... it does not explain why this domain controller was LESS strict about ...
    (microsoft.public.platformsdk.security)
  • Re: cached logons
    ... Microsoft Windows 2000 Security Hardening Guide ... Disable Caching of Logon Information ... If the Domain Controller cannot be found during logon ... how many user account entries Windows 2000 saves in the logon cache ...
    (microsoft.public.windowsxp.security_admin)
Quantcast