Changing the Password Expiry on a Windows Account to n Days in the future

In some work I was doing recently, I had a need to set a user’s account to expire a number of days from today using VBScript. For those who are interested in doing the same, you need 2 pieces of information to change the expiration date of a user’s password: the domain’s setting for password expiry (found as a group policy) and the answer to the following question:

What is (((todays date – 1/1/1601) + (lead time for expiry of password)) – (Domain’s password expiry date)) as an Integer8 value?

Luckily, there’s an easy solution (change the values in red, save it as SetPwdToExpire.VBS and run it as a user that can update Active Directory):

DaysAgo = “-42
‘ assuming a default password expiry date of 45 +
‘ the lead time for pwd expiry of 3 days
strDomain = “DOMAIN
strUserName = “LOGIN
Set objTrans = CreateObject(“NameTranslate”)
objTrans.Init 1, strDomain
objTrans.Set 3, strDomain & “\” & strUserName
strUserDN = objTrans.Get(1)
UserToChange = “LDAP://” & strUserDN
Set objUser = GetObject(UserToChange)
dtmAdjusted = DateAdd(“d”, DaysAgo, Now())
‘ Find number of seconds since 1/1/1601.
lngSeconds = DateDiff(“s”, #1/1/1601#, dtmAdjusted)
‘ Convert the number of seconds to a string
‘ and convert to 100-nanosecond intervals.
str64Bit = CStr(lngSeconds) & “0000000”
Wscript.Echo “Integer8 value: ” & str64Bit
Wscript.Echo “Setting Expiry for: ” & UserToChange
objUser.pwdLastSet = str64Bit

So to set a password to expire in 3 days time,  you would:

  1. Change the DaysAgo value to whatever number was relevant
  2. Change strDomain and strUserName to your normal login (eg domain\username)
  3. Use the RunAs command to run the script as a user that can change AD (because nobody uses their day to day account to manage Active Directory, right?)

Naturally, this was pieced together using various resources, then modified to suit the purpose indicated:

  1. Experts Exchange: Expire an Active Directory users’ account password (No login? Try scrolling all the way to the bottom of the page… Smile)
  2. VBScript source:
  3. Setting the value in AD:
  4. Finding a user’s Distinguished Name:

Um… you might want to test this in a LAB first… eh!

[UPDATE] I’ve had a couple of people tell me that this script does not work verbatim, however it seems like a good starting point. Unfortunately I don’t do this sort of System Administration type of work any more, so it’s hard for me to test it as I don’t have a Lab. If anyone manages to work out what changes are required to the script, let me know and I’ll update it (and credit the author!).

About Brad Saide

I'm a SharePoint consultant. I'm also slowly going bald, seem to have a permanent spare tyre around my waist and enjoy socialising with friends over a beer or 10. The last 2 may possibly be related. Started working with SharePoint when the first version was in limited beta release (participated in the Technology Adoption Program while at Woolworths) and have been committed to the adoption of the technology as a business enabler ever since.
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to Changing the Password Expiry on a Windows Account to n Days in the future

  1. Iain Chapman says:

    Hi – just what I’m looking for, but I can’t make it work.

    At the objUser.SetInfo command I get an error “A device attached to the system is not functioning”. This actually seems to be connected to the objUser.pwdLastset = str64Bit command as if this is remarked out then the code functions fine.

    Any thoughts as to what I’m doing wrong please?.

    Thank you


  2. Stoomkracht says:

    Can’t work cause AD prohibits entering anything else than 0 or -1 into the pwdLastSet attribute…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s