Everyone
(Getting the hang of it)
2003-10-28 07:18 PM
Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

I'm trying to use ADSI code in a Kixtart script, to set accounts so that the user must change the password at next login.

Here is an article that shows how to do it in VBScript:
Configuring a Password Change at Next Logon Requirement

Here is the Kixtart code:
code:
$Domain = GetObject("LDAP://" + $DN[0])
$Domain.Put "pwdLastSet",0
$Domain.SetInfo
This is the error that occurs on the line that says: $Domain.Put "pwdLastSet",0

ERROR : unexpected command!
Script: C:\KiX2001.421\test2.kix
Line : 40

What do I need to do to make this work? [Confused]

[ 28. October 2003, 19:19: Message edited by: Everyone ]

Chris S.
(MM club member)
2003-10-28 07:30 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

Try...

code:
$Domain = GetObject("LDAP://" + $DN[0])
$Domain.Put("pwdLastSet",0)
$Domain.SetInfo

Howard Bullock
(KiX Supporter)
2003-10-28 07:30 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

Try using parens...

$Domain.Put("pwdLastSet",0)

Sealeopard
(KiX Master)
2003-10-28 07:30 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

Have you tried $Domain.Put('pwdLastSet',0) or $domain.pwdLastSet=0 ?

Everyone
(Getting the hang of it)
2003-10-28 07:32 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

I tried $Domain.Put("pwdLastSet",0), that didn't return an error, but it didn't set the attribute either.

I will try $domain.pwdLastSet=0

Everyone
(Getting the hang of it)
2003-10-28 07:34 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

$domain.pwdLastSet=0 doesn't return an error, however it doesn't set the attribute.

Richie19Rich77
(Seasoned Scripter)
2003-10-28 07:37 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

Do this then:

$ADSUser.Put("PasswordExpired", 1)
$ADSUser.SetInfo

Everyone
(Getting the hang of it)
2003-10-28 07:49 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

quote:
Do this then:

$ADSUser.Put("PasswordExpired", 1)
$ADSUser.SetInfo
That gives an "expected expression!" error, unles I change $ADSUser to $Domain.

If I change it to $Domain, it does nothing.

Howard Bullock
(KiX Supporter)
2003-10-28 08:01 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

This code works for me and has been verified via the GUI.

$obUser = GetObject("LDAP://CN=USer,OU=US Pilot Accounts,OU=0001,DC=tyco,DC=com"); 
? "Get user: @error @serror"
$obUser.Put ("pwdLastSet",0)
$obUser.SetInfo
? "SetInfo: @error @serror"


Are you binding to the same DC with the script as you are with the GUI?

[ 28. October 2003, 20:02: Message edited by: Howard Bullock ]

Richie19Rich77
(Seasoned Scripter)
2003-10-28 08:03 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

Hmm, try this then.

$STRUserName = "Richard.Farthing"
$STRUSERPATH = "WinNT://@Domain/$STRUserName,User"
$Reset = GetObject($STRUSERPATH)
$Reset.Put("PasswordExpired", 1)
$Reset.setinfo


[ 28. October 2003, 20:04: Message edited by: Richard Farthing ]

Richie19Rich77
(Seasoned Scripter)
2003-10-28 08:05 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

And do you have 2 domain controllers, maybe you need to do a manual replication.

LonkeroAdministrator
(KiX Master Guru)
2003-10-28 08:09 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

scary how you boys got same time there in the initial replies... [Eek!]

Everyone
(Getting the hang of it)
2003-10-28 09:24 PM
Re: Problem Setting "User must change password at next logon" attribute via ADSI/Kixtart

Ahh I didn't even think to check the error message.. I know why it isn't working now..

SetInfo: -2147352567 COM exception error "SetInfo" (Active Directory - General access denied error) [-2147352567/80020009]

Our AD is set up weird. We have to use this Enterprise Directory Manager tool to make any changes now. The tool is bound to an account... and the account it is bound to is the only one that has access to make changes to objects in the directory. I completely forgot about that.