我怎样才能configuration活动目录,使密码在午夜过期?

当用户更改密码时,通常是白天的某个时间。 这意味着设置为上次更改+ n天的密码到期日将导致密码在白天过期。 我如何强制密码在当天的午夜过期?

我不相信这是可能的,而不需要手动更改ADSI Edit中的PwdLastSet属性,我不build议这样做。

从1601年1月1日中午12:00开始,该值将以100纳秒的间隔存储。但是,您唯一的编辑属性的选项是将其设置为0 (密码现在已过期,用户必须重置)或-1 PwdLastSet更改为当前date/时间)。

正如在注释中提到的,您需要先将值设置为0 ,然后将其设置为-1

您可以编写一个脚本,在给定date的午夜将属性更新为-1以供所有用户使用。 但是,这会将您的所有用户密码设置为在N天内午夜(N为您的域密码策略最大设置时间)。 这可能会延长密码的最大年龄。

你设定密码在午夜到期的目标是什么?

Windows根本不支持全局适用的“密码到期时间”的概念。 你也不能设定时间,除非说现在已经过期,或者只是改变了。 但是,您可以使用每晚运行的命令行AD工具或PowerShell编写一个脚本:它可以通过密码查询AD,以便在24小时内过期(pwdLastSet比您的密码最大年龄早一天天),并将其设置为-1(密码已过期)。 这样可以避免无意中延长密码的使用寿命,也避免中午密码过期。

也有第三方工具可以为你做这种事情。 例如,日立ID密码pipe理器的一个function允许您popup一个Web浏览器,在该浏览器中,用户必须更改其密码或注销,并且您可以将其设置为在实际到期之前的任意天数。

您可以每天午夜运行脚本,如果密码设置为在第二天过期,则强制过期。

那里有一个插图

从未在VBS中testing过;

 Const SEC_IN_DAY = 86400 Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 Const ADS_SCOPE_SUBTREE = 1000 dim strname dim strdist dim dtmvalue on error resume next Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCommand.ActiveConnection = objConnection objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE objCommand.CommandText = "SELECT distinguishedName, profilepath, name from 'LDAP://dc=Example,dc=com' where objectCategory = 'User'" Set objuserRecordSet = objCommand.Execute objUSerRecordSet.MoveFirst Do Until objuserRecordSet.EOF strdist = objuserRecordSet.Fields("distinguishedName").Value strname = objuserRecordSet.Fields("name").Value Set objUserLDAP = GetObject _ ("LDAP://" & strdist) intCurrentValue = objUserLDAP.Get("userAccountControl") dtmValue = objUserLDAP.PasswordLastChanged If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then x = "The password does not expire." Else Set objDomainNT = GetObject("WinNT://escc.gov.uk") intMaxPwdAge = objDomainNT.Get("MaxPasswordAge") If intMaxPwdAge < 0 Then x = "Password does not expire" Else intMaxPwdAge=intMaxPwdAge/86400 strold = ((dtmValue + intMaxPwdAge)-now) if strold < 2 and strold > 0 then objUserLDAP.pwdLastSet = 0 objUserLDAP.SetInfo end if end if End If dtmValue= "" objuserrecordset.movenext Loop 

或者有一个PowerShell的例子:

 # This PowerShell Script will query Active Directory and return the user accounts with passwords # set to expire before the end of the next day, export a list of the affected accounts, and require # a password change at the next logon. The script is configured to ingore accounts which have been # configured with passwords that never expire, and to ignore accounts who do not have permission to # change their own password. Any other account would be affected, so be warned before running this # script, as you could experience unintended consequences. Either modify the script to reduce the # scope of user accounts, or ensure that accounts that shouldn't be affected are either flaged with # a non-expiring password or are flagged with "cannot change password. When ready to run/schedule # in production, remove the -WhatIf from the last line. # # - MWT, 10/11/13 # The 89 is based upon your environment. If passwords expire every X (90) days, and you run the script # in the early morning, you can set it to -1*(X-1) (-89), if you run the script late at night, set it to # -1*(X-2) (-88). Import-Module ActiveDirectory # Required for PowerShell 2.0 only $a = (Get-Date).Date.AddDays(-89) # The following line will build the variable based upon the noted criteria $b = Get-ADUser -Property Name,SamAccountName,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -Filter {(PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false)} | Where-Object {$_.CannotChangePassword -eq $false} # The following line will display/export the data logging the accounts to be changed; please note the # Out-File path and change to suit your needs. $b | Format-Table Name,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -AutoSize | Out-File -FilePath C:\passwordchanges.txt # The following line will actually flag the accounts to require a password change (after -WhatIf is removed) $b.SamAccountName | ForEach-Object {Set-ADUser -Identity $_ -ChangePasswordAtLogon $true -WhatIf}