Windows Server - Is it possible to reset "pwdLastSet" attribute to certain date?

Asked By Mugen

01-Feb-10 03:20 PM

Hi,

I am trying to enforce password policy for a Domain. (Enforce Password
expire very 90 days and minimum 6 characters etc) I am running Windows 2003
AD. But here is the problem, most of the existing users password are more
than 90 days old which mean their accounts will expire right away as soon as
I enable password policy becasue AD will look at the time stamp of pwdLastSet
attribute.

My question if it is possible to reset the pwdLastSet attribute value to
certain date. I searched around and found there are two value to set ( 0 and
-1). 0 will make users to change password at next logon but I do not want to
do that. I would hope I can reset to today date or pre-define date.

Another question is what happen to service account that keep running on
background every minute (But they never login from the console). Are those
account expire immediately while running from the background or not affect
until a user login at the console?


Thanks.

Mugen

01-Feb-10 03:50 PM

0 means expired, -1 says the password was just set and the 'count down to
policy (90 days) starts a new.

You can keep doing the -1 until you get the inital user 'expiration stagger'
you want, but I would not suggest pushing these out very long at all. A few
days to a few weeks ( if you have alot of users).



--
/kj

01-Feb-10 04:03 PM

A service account, like any other, is affected when it authenticates (unless
the account has password never expires set). This will happen when the
service starts.

As noted, you cannot assign a value corresponding to a date to the
pwdLastSet attribute. Perhaps you can start with a larger pwdMaxAge value,
so all users with passwords older than say 120 days expire, then gradually
reduce the value until 90 days is enforced. Or create several text files
with user DN's and assign 0 to the pwdLastSet attribute only for users in
one of the files at a time. Perhaps one group per week. After all have been
forced to change their password, set maxPwdAge to 90 days.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--

01-Feb-10 05:21 PM

Richards method above is my preference for reducing password lifetimes or
first time pasword age restrictions of user passwords assured of being 999
days or newer. Those older accounts still get immediatly flagged if they
have not changed pwds in less than (pwdmax setting) days. (they should
probably get flogged for it instead of flagged for it, but that is another
thread).

-1 method helps where a large number of new or migrated users all have the
same pwdage suffering from the trama of just having to change it now :) ...
or when introducing password expiration for the first time to users that
have been around a long time.

Different methods for different circumstances and needs i guess.




--
/kj

01-Feb-10 06:49 PM

Hi Kj and Richard,

Thanks for your reply!

I just want to double check if I run a script and set "pwdLastSet" attribute
to -1 which will reset all the users to today date?
Because I want to do that first before I enforce password policy to whole
Domain for "password expire in 90 days". That way, I just email out to
everyone saying policy has been applied and everyone need to change password
every 90 days from now on. Otherewise, most of the users will get password
expire the first day I apply passwrod policy. Hope that make sense...

Do you know if there is a script I can download for resetting "pwdLastSet"
to -1 for multiple users or whole Domain?

Thanks and really appreicate your help!
Mugen

01-Feb-10 10:00 PM

If you assign -1 to pwdLastSet, this assigns a huge number to the attribute.
The next time the user authenticates, a value corresponding to the current
date and time is automatically assigned by the system. Still, if you
assign -1 to everyone today, and they all logon tomorrow, then everyone's
password will expire on the same day 90 days in the future. I have found this
to be problem when users are not used to changing passwords. You still might
what to assign -1 to groups of users to spread out the load on your support.

You can use ADO in a VBScript program to retrieve the DN of all users (or
all users in an OU, or all users in a group), enumerate the users, bind to
each user object, assign -1 to pwdLastSet, and save the changes. For
example, for all users in the domain:
==========
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes
Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN, objUser

' Setup ADO objects.
Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
Set adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on user objects.
strFilter = "(&(objectCategory=person)(objectClass=user))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.
Do Until adoRecordset.EOF
' Retrieve values.
strDN = adoRecordset.Fields("distinguishedName").Value
' Bind to user object.
Set objUser = GetObject("LDAP://" & strDN)
' Make password not expired.
objUser.pwdLastSet = -1
' Save changes.
objUser.SetInfo
' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.
adoRecordset.Close
adoConnection.Close
==========
To modify the code for all users in an OU, change the base of the ADO query
from this:

strBase = "<LDAP://" & strDNSDomain & ">"

To specify the DN of the OU, similar to:

strBase = "<ou=Sales,ou=West,dc=MyDomain,dc=com>"

To restrict the ADO query to members of a group, you can change the filter
statement from this:

strFilter = "(&(objectCategory=person)(objectClass=user))"

02-Feb-10 07:27 PM

Hi,

Thanks for you help!

I tried this VB script to test individual account in default "users" OU. It
seems ran successful without any error. I got a Windows script host window
with "PwdLastSet= -1 and Accounts changed = -1". However, when I checked the
attribue of the PwdLastset nothing being changed. It still showing last
password set was 1 year ago. Here is the VB script I tried and I put asterisk
at end of the line where I made change.

Can you take a look what went wrong?

' PwdLastSet .vbs
' Sample VBScript to force a user to change password at next logon
' Author Guy Thomas http://computerperformance.co.uk/
' Version 1.1 - May 2005
' --------------------------------------------------------------'
Option Explicit
Dim objOU, objUser, objRootDSE
Dim strContainer, strDNSDomain
Dim intCounter, intPwdValue

' Bind to Active Directory Domain
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")

' -------------------------------------------------------------'
' Important change OU= to reflect your domain
' -------------------------------------------------------------'
strContainer = "cn=test account,cn=users,dc=domain,dc=com, " ******
strContainer = strContainer & strDNSDomain
intCounter = -1  **********
' Here we force a reset password date
intPwdValue = -1 ***********

' Loop through OU=, resetting all user accounts
set objOU =GetObject("LDAP://cn=test account,cn=users,dc=domain,dc=com") *****
For each objUser in objOU
If objUser.class="user" then
objUser.Put "PwdLastSet", intPwdValue
objUser.SetInfo
End If
intCounter = intCounter +1
Next

' Optional section to record how many accounts have been set
WScript.Echo "PwdLastSet = " & intPwdValue _
& vbCr & "Accounts changed = " & intCounter
WScript.Quit

' End of Sample PwdLastSet VBScript

04-Feb-10 01:18 PM

Hi,

Anyone able to review the script I treid why not working?

Thanks.

04-Feb-10 01:28 PM

I *think* that Richards script is expecting to enumerate user accounts in an
OU but you gave it the DN of a single user.

If true, create an OU and move your test user there and adjust strContainer
for the OU instead of the CN=


Otherwise I am sure Richard or others will correct me (and you).  :)