CODEWITHSUNDEEP
windowsvbscriptactive-directorywindows-server-2012-r2
James Heathershaw
James Heathershaw

Reputation: 1

Create an AD account and set password as expiring in 45 days

I need some assistance with a line in an existing script that creates a user account and sets the password to non expiring (66048).

I am trying to modify the code so the password expiry is set to 45 days, but have not been able to find any information on how to do this.

The current line of code in the script is as follows: 

objUser.userAccountControl = 66048  ' normal and never expires

objUser.PasswordRequired = True
objUser.SetPassword strPassword

For intLoop = LBound(aryGroups) To UBound(aryGroups)
    Set objGroup = GetObject("LDAP://" & aryGroups(intLoop))

    objGroup.Add objUser.ADsPath

Is there a way to alter the code in the objUser.userAccountControl line from 66048 to something else that will allow me to do this? Everything that I have read only points to the password being set to 'not required', 'non expiry' or 'can't change'.

I am trying to remove the process of admins having to manually change the password to 'does expire' after the script has run.

We are currently running version 2012 R2 of Windows AD.

Upvotes: 0

Views: 603

Answers (1)

Ansgar Wiechers
Ansgar Wiechers

Reputation: 200273

The UserAccountControl property can control whether or not a password expires, but the time until expiration is defined by when the password was last set and the password expiration time defined via group policy (usually the Default Domain Policy).

You need to remove the DONT_EXPIRE_PASSWORD flag from the userAccountControl attribute, though, otherwise the password still won't expire, even with a password policy in place:

objUser.userAccountControl = 512

Upvotes: 1

Related Questions