This Friday quick hitter post will show two ways to do this (there are other ways also)
What I like for this sort of task are adfind and admod by Joe Richards
The command I used was:
adfind -default -f "&(objectcategory=person)(objectclass=user)(samaccountname=b*)" -dsq | admod pwdLastSet::0
That will set "User must change password at next logon" for logon names that begin with B.
Some notes about this command:
- Joe puts a lot of safety nets in his tools (good thing).
- You can use the -unsafe switch with admod if you don't want a safety or you can use the -safety switch and specify how many objects you want to modify (by default the safety kicks in at 10)
- You can also specify -upto xx if you want it to do xx object mods and then stop...thanks Joe for that one :)
Brandon Shell also came in with a powershell command to do this. If you don't know Brandon check out his blog . Brandon is very knowledgeable but also a really cool guy who is always willing to help and a huge asset to the community.
The powershell command takes advantage of Quest's Active Directory cmdlets. Big thanks to Dmitry Sotnikov and everyone at Quest for those.
The command is
Get-QADUser -SamAccountName b* | Set-QADUser -UserMustChangePassword $true
As you can see both commands worked and met the requirements. I hope you can also see how you can manipulate these commands to set other attributes for example. Comment or contact me for more info.
For those that are more comfortable with the GUI you can run the same LDAP query I used in adfind in Active Directory Users and Computers and find them and highlight them all at once and check the box to force them to change their password.
Hope everyone has a great weekend, spring is finally here on the East Coast of the USA so it should be nice.
No comments:
Post a Comment