JSI Tip 7325. How do I reset most user's passwords, and/or force them to change the password at the next logon?

Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, I have scripted ChgPwd.bat to change most user's passwords, and/or force them to change the password at the next logon.

The syntax for using ChgPwd.bat is:

ChgPwd NewPassword \[DN_Exception_File\]

where NewPassword is the new password you wish to set, or an N if you don't want to set the password, and DN_Exception_File is an optional file name that contains one line for each user you wish to exclude, in distinguished name (DN) format, like the following example:

"CN=Administrator,CN=Users,DC=JSIINC,DC=COM"
"CN=Jerold Schulman,CN=Users,DC=JSIINC,DC=COM"
"CN=Service Account,CN=Users,DC=JSIINC,DC=COM"
"CN=John Doe,OU=West_Coast_Office,DC=JSIINC,DC=COM"
NOTE: ChgPwd.bat creates a ChgPwd.log file in the current folder.

ChgPwd.bat contains:

@echo off
if \{%1\}

\{\} @echo Syntax: ChgPwd NewPassword \[DN_Exception_File\]&goto :EOF setlocal set NewPwd=%1 set Ex=N if \{%2\}

\{\} goto Begin set file=%2 if not exist %file% @echo ChpPwd %file% NOT found.&endlocal&goto :EOF set Ex=Y :Begin if exist ChgPwd.log del /q ChgPwd.log call :quiet>>nul 2>>&1 endlocal goto :EOF :quiet for /f "Tokens=*" %%u in ('dsquery user -name *') do set DN=%%u&call :setPwd goto :EOF :setPwd if "%Ex%" EQU "N" goto setDNP findstr /i /l /c:%DN% %file% if %ERRORLEVEL% EQU 0 goto :EOF :setDNP if /i "%NewPwd%" EQU "N" goto setDNC dsmod user %DN% -pwd %NewPwd% if %ERRORLEVEL% NEQ 0 goto Err :setDNC dsmod user %DN% -mustchpwd yes if %ERRORLEVEL% NEQ 0 goto Err @echo PwdChg - %DN%>>ChgPwd.log goto :EOF :Err @echo PwdErr - %DN%>>ChgPwd.log



Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish