Set password expiration date for local account

Started by hienpham, June 06, 2013, 03:50:28 PM

Previous topic - Next topic

hienpham

We just have a policy that requires that the local account password should be expired every 60 days. What Winbatch command will I use to do that, the wntUserSetDat command does not have the option to do that. In the worst case we will use the "net user" command

Thanks for any help.

hien

Deana

Active Directory has an attribute named maxPwdAge. This attribute specifies the maximum amount of time that a password is valid. It is stored as the number of 100-nanosecond intervals from the time the password was set until the password expires: http://msdn.microsoft.com/en-us/library/cc220201.aspx. Here is COM LDAP example that gets this attribute. You could maybe modify this code to set it: http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WIL~Extenders/ADSI+AD~Password~Expires~Date.txt

Deana F.
Technical Support
Wilson WindowWare Inc.

hienpham

Thanks Deana,
But as I have mentioned it concerns local accounts and I doubt that we can use AD here. I believe that we should use local GPO, does WinBatch has any sample about password and GPO?

About the new Forum, the UI is really great and easy to use, but I did not find the TYPO check that I always called in the old forum.

hienpham

Sorry, I just read about the missing of the spell check in the new forum.

Deana

Quote from: hienpham on June 07, 2013, 09:01:27 AM
Thanks Deana,
But as I have mentioned it concerns local accounts and I doubt that we can use AD here. I believe that we should use local GPO, does WinBatch has any sample about password and GPO?

About the new Forum, the UI is really great and easy to use, but I did not find the TYPO check that I always called in the old forum.

Unfortunately Windows doesn't seem to offer any direct functionality to automate individual policy settings. I believe most of this information is stored in the registry. The trick would be to figure out all of the necessary registry modifications, then reproduce that using the Registry functions in WinBatch.  If you can't find specific registry values online then one option would be to run a registry monitoring tool, like Regmon, while you modify the settings manually.

Reference: http://techsupt.winbatch.com/webcgi/webbatch.exe?techsupt/tsleft.web+WinBatch/How~To+Modify~Local~Group~Policy.txt

[Unfortunately this forum doesn't offer spell check. However some modern browsers have spell check built in i.e. IE10, Chrome, etc.]
Deana F.
Technical Support
Wilson WindowWare Inc.

stanl

I think ADSI can be used on local accounts: The trick would be to poll that a password is about to expire then reset it. The PS code below (which can be called from WB2013) re-sets the PW to 60 days:


$user = [adsi]"WinNT://./Test1, user"
$expirydate = (Get-Date).AddDays(60)
$user.Put("AccountExpirationDate", $expirydate)
$user.SetInfo()
$user.RefreshCache()
$user | Format-List *


However, this does not reset the actual password, although that is possible.