Be careful when setting user “password never expires” using DSMOD

Today, yes.. Today (Sat), I got a last minute request to set all the users “password never expires” to “yes” for a short period of time.

For this AD I am working on consist several OU contain users (approx 100 per OU). About 100 OUs.

So, lazy to write script (vbscript), I thought of DSquery and DSmod  command that can do the trick! Smile

Happily preparing my batch file that will comb through all the OUs and modify the users’ setting using the following command:

dsquery user “OU=TanCheeOU,dc=Tan,dc=Chee” | dsmod user -pwdneverexpires yes

So, when I am testing on my development environment, I just had a weird thinking.. What if the user has not change password as the account is newly created? Smile

Why I have concern? The reason is one can never set “Password never expires” if “User must change password as next logon”!! If you insist to set “Password never expires”, the other option will be “unchecked” (Not Set). <Screen shot below shows what happened if you want to do it by GUI way>

image

Impact

What could be the possible impact if I were to run the DS command?

This is what will happen – Examples:

After running the command, user account in the AD will change as following:

For account A that does not have “User must change password at next logon” will have the “Password never expires” set (Checked)

For account B that has “User must change password at next logon” set, the setting will be cleared and the “Password never expires” will be set (Checked).

End-User experience

Account A logon to machine as usual.

Account B logon to machine and start using the account will not get prompt to change password upon next logon.

After period of time… when we need to revert the setting using the command:

dsquery user “OU=TanCheeOU,dc=Tan,dc=Chee” | dsmod user -pwdneverexpires no

After running the command, user account in the AD will change as following:

For account A that does not have “User must change password at next logon” set will remain unchecked;and the “Password never expires” will be cleared (Unchecked).

For account B that has “User must change password at next logon” set, the setting will be reverted! (Checked);and the “Password never expires” will be cleared (Unchecked).

So.. End-User Experience (Impact arise…)

Account A will logon as usual.

Account B will be prompt to change password at the next logon!!! Oh My!!

Conclusion

Must write a script to check if the user’s must change password at next logon, before setting the “password never expires” to YES~ Sad smile

One method if you do not know how to write vbscript…

Use DSquery | DSget command to get the list of users from all the OU.

Massage the data using Excel.. Then use DSquery | DSmod to set the setting! Smile with tongue out

Cheers\

Advertisements
This entry was posted in Microsoft Active Directory and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s