Geek Answers Handbook

How to write a script to change password expiration values ​​for users on Windows Server?

I need to create several users on Windows 2008 servers and change the password expiration value to "Never." These will be local (not AD) users. I can create them using "net user", and this changes the validity period of the passage, which kills me. If I use "net user username", it displays the field and its value, but there is no switch (at least not the one referenced by the help file) to change it, and most of the solutions that I saw on the Internet suggested install third-party tools, however this solution should be native to Windows (ideally using Powershell). Any help is appreciated.

UPDATE

I said that if I figure out how to do this in Powershell, I would post it here, and I am the man of my word.

Get-WmiObject -Class Win32_UserAccount -Filter "name = 'steve'" | Set-WmiInstance -Argument @{PasswordExpires = 0}

This is a logical value, so if you want to set a password for expiration, just change the value 0 to 1. This is beautiful for me in its simplicity, and I tested this method by updating other WMI objects, and it works every time.

+6
windows scripting powershell windows-server-2008-r2
source share
5 answers

A simple solution is to create a batch file that issues the following command:

 net accounts /maxpwage:unlimited

However, this will set the maximum age for all accounts on the local computer unlimited, not just the new accounts you created.


If you need a finer level of control (i.e. the ability to set password expiration values ​​for individual users), you will need something more complex. Scripting Guys share an example of VBScript that will change the local user account so that its password does not expire:

 Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 strDomainOrWorkgroup = "Fabrikam" strComputer = "atl-win2k-01" strUser = "KenMeyer" Set objUser = GetObject("WinNT://" & strDomainOrWorkgroup & "/" & _ strComputer & "/" & strUser & ",User") objUserFlags = objUser.Get("UserFlags") objPasswordExpirationFlag = objUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD objUser.Put "userFlags", objPasswordExpirationFlag objUser.SetInfo

It would be easy to change this to work for any user of your choice or even to create a new user.


Finally, here is an example in C # that you should be able to connect to PowerShell. I'm not a PS expert, but given that it uses the .NET Framework, the code above should give you some ideas.

+6
source share

From this stream of technology .

 $computer = $env:Computername $account = ([adsi]"WinNT://$computer/TestAccount") $account.PasswordExpired = 1 $account.psbase.commitchanges()

You can add a domain before the computer name if you need to.

+1
source share

Set a password for the user does not expire . Do not change other flags:

 $ADS_UF_DONT_EXPIRE_PASSWD = 0x10000 $username = 'user' $user = [adsi] "WinNT://./$username" $user.UserFlags = $user.UserFlags[0] -bor $ADS_UF_DONT_EXPIRE_PASSWD $user.SetInfo()

ADS_USER_FLAG_ENUM enumeration

+1
source share

Other solutions didn't work for me, so I tweaked Jason's solution:

 $svrname = $env:computername $user = ([adsi]"WinNT://$svrname/Administrator") $user.userflags = 66049 $user.psbase.commitchanges()

The userflags value determines which checkboxes are checked for the user - this is the base value "password does not expire." It seems that it is not possible to understand how these numbers coincide, it may be useful below, but according to this, I have a reserved value that does not make sense.

http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

Instead, I just turned on the parameters that I need in the test field and got the value. It is the most reliable means to determine what you need. I think.

0
source share

I made a Deadly-Bagel decision, and it didn't work until I made a small change. See below:

 $svrname = $env:computername $user = ([adsi]"WinNT://$svrname/Administrator") $user.psbase.InvokeSet("userflags", 66049) $user.psbase.commitchanges()
0
source share

More articles:


All Articles