In some work I was doing recently, I had a need to set a user’s account to expire a number of days from today using VBScript. For those who are interested in doing the same, you need 2 pieces of information to change the expiration date of a user’s password: the domain’s setting for password expiry (found as a group policy) and the answer to the following question:
What is (((todays date – 1/1/1601) + (lead time for expiry of password)) – (Domain’s password expiry date)) as an Integer8 value?
Luckily, there’s an easy solution (change the values in red, save it as SetPwdToExpire.VBS and run it as a user that can update Active Directory):
DaysAgo = “-42”
‘ assuming a default password expiry date of 45 +
‘ the lead time for pwd expiry of 3 days
strDomain = “DOMAIN”
strUserName = “LOGIN”
Set objTrans = CreateObject(“NameTranslate”)
objTrans.Init 1, strDomain
objTrans.Set 3, strDomain & “\” & strUserName
strUserDN = objTrans.Get(1)
UserToChange = “LDAP://” & strUserDN
Set objUser = GetObject(UserToChange)
dtmAdjusted = DateAdd(“d”, DaysAgo, Now())
‘ Find number of seconds since 1/1/1601.
lngSeconds = DateDiff(“s”, #1/1/1601#, dtmAdjusted)
‘ Convert the number of seconds to a string
‘ and convert to 100-nanosecond intervals.
str64Bit = CStr(lngSeconds) & “0000000”
Wscript.Echo “Integer8 value: ” & str64Bit
Wscript.Echo “Setting Expiry for: ” & UserToChange
objUser.pwdLastSet = str64Bit
So to set a password to expire in 3 days time, you would:
- Change the DaysAgo value to whatever number was relevant
- Change strDomain and strUserName to your normal login (eg domain\username)
- Use the RunAs command to run the script as a user that can change AD (because nobody uses their day to day account to manage Active Directory, right?)
Naturally, this was pieced together using various resources, then modified to suit the purpose indicated:
- Experts Exchange: Expire an Active Directory users’ account password (No login? Try scrolling all the way to the bottom of the page… )
- VBScript source: http://www.rlmueller.net/Programs/DateToInteger8.txt
- Setting the value in AD: http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/06/how-can-i-cause-a-user-s-password-to-expire.aspx
- Finding a user’s Distinguished Name: http://www.wisesoft.co.uk/scripts/vbscript_get_the_distinguished_name_of_a_user.aspx
Um… you might want to test this in a LAB first… eh!
[UPDATE] I’ve had a couple of people tell me that this script does not work verbatim, however it seems like a good starting point. Unfortunately I don’t do this sort of System Administration type of work any more, so it’s hard for me to test it as I don’t have a Lab. If anyone manages to work out what changes are required to the script, let me know and I’ll update it (and credit the author!).