|
Posted by Joe Richards [MVP] on July 5, 2006, 7:59 pm
Please log in for more thread options
I helped Mike with this offline, you can do it specifically what he
asked for with an a combination of admod and adfind...
(all one line)
adfind -b BASE_DN -f "matching filter" -dsq | admod pwdlastset::0 -unsafe
or if you know about how many you will need to update
adfind -b BASE_DN -f "matching filter" -dsq | admod pwdlastset::0 -safety x
where x is the number you want to be able to update or bail out.
One thing to note though... Expiring passwords will not lock users out
immediately, nor will disabling them. If users already have their
kerberos ticket for a resource they will continue being able to use the
resource, there is no way around that that I am aware of. Kerb tickets
don't expire for 10 hours by default.
Also, expiring a password is the same as setting user must change
password on next logon.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Mike Matheny wrote:
> Due to a security breach, we need to immediately expire all passwords (not
> force a change on next logon - I want immediate denial of access to
> resources!). I have searched the internet till I'm blue in the face, only
> thing can find is forcing a change on next logon - well, some people don't
> relogon for days!
>
> Any help would be greatly appreciated!
>
| 
XML Sitemap