cancel
Showing results for 
Search instead for 
Did you mean: 

Set AD user account option

Former Member
0 Kudos

Hi all,

After creating my user in the AD through a file ( ) and giving them a default password, I not able to set the checkbox "User must change password at next logon " so the user will chnage his password at the first connection:

I set :

pwdLastSet = 0

useraccountcontrol=512

Result: user creation failed

pwdLastSet = 0

useraccountcontrol=544

result : user creation sucess but without the checkbox : "User must change password at next logon "

Any idea ?

Linda

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

The link that Tero posted shows that "password expired" flag is 8388608, so I'd try 512+8388608 on a testuser and see what that does.


Update:

Found this SelfADSI : Attributes for AD Users - userAccountControl through google which states that:


UF_PASSWORD_EXPIRED ( 8388608 )

Caution: This bit does not work as expected!

Normally, this user account control bit is supposed to indicate that the user's password is expired. However, it is not set by the system when the password actually expires, nor can you force the user to change his password at the next logon by setting this bit.

If you really want to know whether the password of an account has expired or not, you can examine the attribute msDS-User-Account-Control-Computed, this is in contrast to the userAccountControl a good indicator for password expiration in the UF_LOCKOUT bit. However, this is a constructed attribute so that it cannot be used as a filter criterion in LDAP search operations.

If you want to force expiration of a password, just set user attribute pwdLastSet to -1.

So, try setting pwdLastSet=-1 on a testuser and see what happens 🙂

Br,

Per Krabsetsve

Former Member
0 Kudos

Hi Per,

I made the change but still not able to set the check box ?

I made all the combination for pwdLastSet and useraccountcontrol but still not able to set the check box:


User must change password at next logon.


Any onther input please to check?


Linda

Steffi_Warnecke
Active Contributor
0 Kudos

Hello Linda,

can you show a screenshot with Per's suggestion in your pass?

Regards,

Steffi.

Former Member
0 Kudos

CreateADSUser with useraccountcontrol 514

Then

EnableADSUserInitial with useraccountcontrol 512

Andy

Answers (1)

Answers (1)

Former Member
0 Kudos

Thanks  to all for your help.

Linda