6.22. Preventing a User’s Password from Expiring

Problem

You want to prevent a user’s password from expiring.

Solution

Using a graphical user interface

  1. Open the Active Directory Users and Computers snap-in.

  2. In the left pane, right-click on the domain and select Find.

  3. Select the appropriate domain beside In.

  4. Beside Name, type the name of the user you want to modify and click Find Now.

  5. In the Search Results, double-click on the user.

  6. Click the Account tab.

  7. Under Account options, check the box beside Password never expires.

  8. Click OK.

Using a command-line interface

> dsmod user "<UserDN>" -pwdneverexpires yes

Using VBScript

' This code sets a users password to never expire
' See Recipe 4.12 for the code for the CalcBit function
' ------ SCRIPT CONFIGURATION ------
strUserDN = "<UserDN>"  ' e.g. cn=rallen,ou=Sales,dc=rallencorp,dc=com
' ------ END CONFIGURATION ---------

intBit = 65536
strAttr = "userAccountControl"

set objUser = GetObject("LDAP://" & strUserDN)
intBitsOrig = objUser.Get(strAttr)
intBitsCalc = CalcBit(intBitsOrig, intBit, TRUE)
if intBitsOrig <> intBitsCalc then
   objUser.Put strAttr, intBitsCalc
   objUser.SetInfo
   WScript.Echo "Changed " & strAttr & " from " & _
                intBitsOrig & " to " & intBitsCalc
else
   WScript.Echo "Did not need to change " & strAttr & " (" & _
                intBitsOrig & ")"
end if

Discussion

Setting a user’s password to never expire overrides any password aging policy you’ve defined in the domain. To disable password expiration, you need to set the bit equivalent of 65536 (i.e., ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial