Change the pwdLastSet value

TheMSsForum.com: The Microsoft Software Forum

I need to change the pwdLastSet attribute on accounts in Active
Directory. I found this script which will change the value to 0 which
means the user must change their password at next log on. But we are
implementing a new pwd policy to force users to change their pwd after
180 days. Most of our users pwd's are older than that and we don't want
them all expiring on that day. So, I need to be able to bulk set the
pwdLastSet value to %today's date%.
Here is my idea:

set oUser = GetObject("LDAP://cn=user,ou=test,dc=domain,dc=com")
oUser.Put "pwdLastSet", CLng(127703193192000000)
oUser.Setinfo

(We reverse engineered the Integer 8 number to be approx Sept 1, 2005,
hence the value 127703193192000000)

But when I run this I get an error Overflow: 'CLng'

Has anyone ever done this before? Setting the pwdLastSet value to
something other than 0?
Top

Re: Change the pwdLastSet value by Steven

Steven
Wed Aug 17 10:55:24 CDT 2005

See: http://www.rlmueller.net/Integer8Attributes.htm

There's an example there ;o)

--
Regards

Steven Burn
Ur I.T. Mate Group
www.it-mate.co.uk

Keeping it FREE!

<rwh@rodharrison.com> wrote in message
news:1124292399.058142.150490@z14g2000cwz.googlegroups.com...
> I need to change the pwdLastSet attribute on accounts in Active
> Directory. I found this script which will change the value to 0 which
> means the user must change their password at next log on. But we are
> implementing a new pwd policy to force users to change their pwd after
> 180 days. Most of our users pwd's are older than that and we don't want
> them all expiring on that day. So, I need to be able to bulk set the
> pwdLastSet value to %today's date%.
> Here is my idea:
>
> set oUser = GetObject("LDAP://cn=user,ou=test,dc=domain,dc=com")
> oUser.Put "pwdLastSet", CLng(127703193192000000)
> oUser.Setinfo
>
> (We reverse engineered the Integer 8 number to be approx Sept 1, 2005,
> hence the value 127703193192000000)
>
> But when I run this I get an error Overflow: 'CLng'
>
> Has anyone ever done this before? Setting the pwdLastSet value to
> something other than 0?
>


Top

Re: Change the pwdLastSet value by rwh

rwh
Wed Aug 17 11:20:22 CDT 2005

I was more so looking for a method to change the pwdLastSet attribute.
Do you have something for it?
I have discovered 3 values for setting the "pwdLastSet" CLng ()
attribute
0 = Change pwd at next login
1 = password never expires
-1 = "pwdLastSet = today"

Is there a way though, to change it to another Integer8 value?

Top

Re: Change the pwdLastSet value by Al

Al
Wed Aug 17 22:32:15 CDT 2005


<rwh@rodharrison.com> wrote in message
news:1124295622.770414.303760@z14g2000cwz.googlegroups.com...
> I was more so looking for a method to change the pwdLastSet attribute.
> Do you have something for it?
> I have discovered 3 values for setting the "pwdLastSet" CLng ()
> attribute
> 0 = Change pwd at next login
> 1 = password never expires
> -1 = "pwdLastSet = today"
>
> Is there a way though, to change it to another Integer8 value?

Sorry to butt in without a definitive answer, but I suspect that the
pwdLastSet is basically a read-only attribute like LastLogonDate, with the
exception of the three specific values you mention above. Of these, the
first is the only one I knew of previously.

If you anticipate that having all passwords expire on the same date when the
policy changes will cause an actual problem, I would suggest you consider
something like this:

Identify all those accounts that would expire within a week of changing the
policy, and do the following:

- set them all to 1 or -1
- each days select a sample, and set them to 0
- repeat as long as it takes to set all accounts

This should distribute the requisite resets reasonably well. The accounts
that are not included will simply expire on random dates based on their last
actual password change.

/Al


Top

Re: Change the pwdLastSet value by rwh

rwh
Thu Aug 18 10:04:39 CDT 2005

We had actually thought of doing something similar to that, but with an
AD environment of over 16,000 accounts that would be difficult to pick
through.
Would anyone know of a script that could export all user accounts with
the pwdlastset value so we could sort them in Excel, then run the
pwdlastset script accordingly?
I'd like to export all user accounts and their associated pwdlastset
attribute only.
I guess I could do it with ldifde.exe, but any other help would be
appreciated.

Top