Does anybody know of a tool/script that can set the "password never expires" option on an nt4 user account.

i already checked the reskit but did not find the right stuff (am i overlooking something) and cannot find any relevant hits on the net.

i'm looking for a way to manipulate this option on a lot of accounts over a lot of domains.

Thanx in advance,

MvdW

it has an Option - /expires:never

hth

Jochen

_________________________

too fast with my reply ! Net user over several domains would only be useful if doin it with rcmd or something scheduled ....

Sorry

_________________________

-Shawn

Cool opportunities ... and i bet you have proper scripts to share !!!

Jochen

_________________________

-Shawn

code:

---

BREAK ON
$DOMAIN = GETOBJECT("WinNT://@LDOMAIN")
$DOMAIN.FILTER = USER,""
?
?"LOCKED ACCOUNTS IN @LDOMAIN:"
?
FOR EACH $USER IN $DOMAIN
 IF $USER.ACCOUNTDISABLED
  ? $USER.NAME
 ENDIF
NEXT
$DOMAIN=0
EXIT

---

-Shawn

This is too sweet..

I made the following mods. No HYENA needed. (snicker, snicker).

code:

---

BREAK ON
$DOMAIN = GETOBJECT("WinNT://@LDOMAIN")
$DOMAIN.FILTER = USER,""
?
?"LOCKED ACCOUNTS IN @LDOMAIN:"
?
FOR EACH $USER IN $DOMAIN
$Accountdis = "C:\Accountdisable.TXT"
$result=Open(3, $Accountdis, 5)
IF $USER.ACCOUNTDISABLED
? $USER.NAME
IF $result <> 0
   $x = WriteLine( 3 , $USER.NAME + Chr(13) + Chr(10) )
ENDIF
ENDIF
NEXT
;Close the text file
$result=Close(3)
$DOMAIN=0
EXIT
  

---

Cheers!

- Kent

code:

---

BREAK ON
$ADS_UF_DONTEXPIREPASSWD = 65536
$DOMAIN = GETOBJECT("WinNT://@LDOMAIN")
?
?"USERS WITH 'PASSWORD NEVER EXPIRES' IN @LDOMAIN:"
?
$DOMAIN.FILTER = USER,""
FOR EACH $USER IN $DOMAIN
 $USER.GETINFO()
 IF $USER.USERFLAGS & $ADS_UF_DONTEXPIREPASSWD
  ? $USER.NAME
 ENDIF
NEXT
$DOMAIN=0
EXIT

---

-Shawn

I'll never give-up selling folks on the beauty and power of ADSI ..

You da man!!

However, it does seem to take a while to parse the user list as we have our DC (W2K) 3000 miles away. I am on a W2K Pro install.

- Question
Is there an option to list all of the ADSI Properties? Dangerous - Maybe an option to delete the accounts?

- Question
Also, this maybe off-topic, but do you know if version 3.0 of Visual Kixtart has support or enhanced support for version 4.00 of KIX?

- Question
I know this has been asked a hundred times, but under W2K Pro the login scripts run minimized. I tried the fix from http://www.jsiinc.com and the sendkeys. None of these work...

Thanks!

- Kent

[ 19 July 2001: Message edited by: kdyer ]

Querying takes time ?

Yes (and no) - ADSI uses something called "property caches" to speedup queries. When you do a getobject() on a user object, ADSI pre-fetches most of the commonly used user properties. If the property your after is one of these - you don't have to do a $USER.GETINFO() which goes out and pulls down everything. Might I suggest you remove this line from your script and you might see little difference in performance ?

Option to list all the ADSI properties ?

I use the ADSI 2.5 SDK exclusively. You can download the chm help file from Microsoft here - scroll down to see it. By the way - if you want to run ADSI on a Windows NT 4.0 or 9x workstation - you can simply download the ADSI runtimes themselves from there.

And here is some MDSN stuff on IADsUser (the user object interface).

Can you delete an account ?

yap - sure can - just as easily as you can delete all your accounts with one push of a button ;D

Visual KiXtart ? - no idea 'bout that.

Win2Kpro login scripts - for some reason - I've never experienced this problem - maybe I should poke around in my registry and try to figure out why - like you say - this issue come up all the time - I'll let you know what I discover.

-Shawn

Just in case your still interested, here's a pretty good start with the "ADSI" script approach... it reads an INI file in your current directory called "USERS.INI" that is structured like this:

[FILE: USERS.INI]

code:

---

[USERS]
john.smith=1
jane.doe=1
billybob.sue=1

---

and this script reads (parses) the INI file and sets their user account to "password never expires" ...

[FILE: SETUSER.KIX]

code:

---

BREAK ON

$USERFILE="@CURDIR\USERS.INI" ; CHANGE THIS TO YOUR SPECIFICS

$ADS_UF_DONTEXPIREPASSWD = 65536

FOR EACH $USERNAME IN SPLIT(READPROFILESTRING($USERFILE,"USERS",""),CHR(10))
 IF $USERNAME
  $USER = GETOBJECT("WinNT://@LDOMAIN/$USERNAME,USER")
  IF $USER
   ? "$USERNAME ..."
   $USER.PUT("USERFLAGS",$USER.GET("USERFLAGS") | $ADS_UF_DONTEXPIREPASSWD) 
   $USER.SETINFO() " @SERROR"
   $USER = 0
  ENDIF
 ENDIF 
NEXT

EXIT

---

ummm... it goes without saying that this script really works so excerise caution - you might want to comment-out the $USER.SETINFO() line so that no updates are performed (until you're ready) ... I really hope this script helps your cause ...

-Shawn

[ 19 July 2001: Message edited by: Shawn ]

if you were near i'd kiss ya !!!

i really need to check this adsi out, right now i'm quite busy and my teamleader asked me to sort out this script but this is beyond my wildest dreams.

If i understand it correctly ADSI provides some sort of translation mechanism of the NT4 users and their properties so you can reference and manipulate them in an object oriented style. correct ?

i will get the help files from microsoft and study them a bit over the weekend and check out the sample code you have written, seems pretty efficient. the only thing i'll need to find out is how fast this actually works because i'm on a pretty slow network (130 sites and a steady echo/response of 3000 milsec is not uncommon...)

if only time could stand still for a month or two, i want to learn it all (vb/adsi etc...)

besides the adsi components i need on the machine i run the script on are there any prereqs on the good ol'nt4 servers we have ??(netw is all nt4 i am the only one with a w2k machine because it's private...)

Thanx all for pointing me in the right direction i'll try to get some understanding of this ADSI and we'll see what happens.
(i'm not going to get much sleep upcoming nights...)

CIao,
MvdW

jpols, i forgot to mention in post above but the net user has the option never expires but that's for the user account not the password... (at least that's what i understood...)

Bye !!

Yeah - take your time and get comfortable with it before you jump into things - you might want to download and run some of the other sample scripts (above) that Kent and I were playing with - they just dump user info to your console ... might want to create some dump scripts of your own to get a good feel for what ADSI is all about.

Your correct - the WinNT Service Provider of ADSI (eg. "WinNT://DOMAIN/USER") is an AD translation mechanism for NT4 domain objects. And yes - the intent is to allow you to manipulate domain properties in object-oriented style. There are quite a few NT domain objects (classes) supported - DOMAINS,USERS,MACHINES,SERVICES,SHARES, PRINTERS and some others ...

The other nice thing about ADSI (vs the NET command) is that NET always works against the domain that your workstation is joined to (no?). Why MS doesn't allow one to specify the DOMAINNAME on the command line is beyond me! We work in a master/resource domain environment (all accounts on MASTER, WKS's joined to RESOURCE) and ADSI has saved my buns dozens of times. It's acutally quite amazing what information a normal domain can query about themselves and others in a trusted (and with credentials) non-trusted relationship !

In terms of speed - well - any automated approach to user account management is bound to beat the pants off doing it manually through the User Manager gui no ? - even if it takes 15 minutes to update a couple hundred accounts (i've never actually timed it but it should be "fast-enough") ? The sample scripts should give you a pretty good indication on that - try throwing a $USER.GETINFO() into the mix as that will tend to be "worst-case".

Pre-requisite software ? On Windows 2000 pro there are none. On Windows NT & 9x you must install the ADSI 2.5 runtimes - available FREE from Microsoft at the download site above.

Here's the sporty part - NO SERVER PREREQS ON YOUR GOOD OLD NT4 SERVERS !!! The ADSI WinNT service provider translates your object calls into backward compatible NT4 NETAPI calls... sweet eh?.

Anyway - glad you like and heres to hoping you'll pursue and have success !

-Shawn

you're absolutely RIGHT !

Shame on me , I wish I'd never answer this !

(I'm now going to a nice, warm place and shoot myself )

Jochen

_________________________

While prowling around this morning, I see the following page..
http://cwashington.netreach.net/script_repository/faqs.asp?topic=adsifaq

And there are several useful examples cited -

• adding a user to a group
  
• getting the users of a group
  
• adding a global user to a local group
  
• invalid syntax error
  
• changing passwords
  
• renaming a user
  
• changing a user description
  
• setting an account expiration
  
• confirming a password change
  
• setting a home directory
  
• creating a share
  
• setting password expiration
  
• creating a user
  
• setting a required password
  
• deleting a group
  
• setting a user's login script
  
• deleting a share
  
• setting a user's full name
  
• deleting a user from a domain
  
• setting a user's profile
  
• disabling an account
  
• starting an NT service
  
• displaying domains
  
• stopping an NT service
  
• displaying groups
  
• unlocking a user account
  
• displaying groups of a user
  

Too cool!

L8r,

- Kent