Change password expiration date in Active Directory using VBS

Question

I'm trying to change the password expiration date for a user in Active Directory using VBScript. I have the code to obtain information about a user's password, but I can't find anything about how to change it. Any help would be greatly appreciated!

Here's my code:

Const SEC_IN_DAY = 86400
Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000

Set objOU = GetObject("LDAP://CN=[username],OU=Users,OU=New York,OU=NA,OU=[domain],DC=[domain],DC=firm")

intCurrentValue = objOU.Get("userAccountControl")

If intCurrentValue and ADS_UF_DONT_EXPIRE_PASSWD Then
  wscript.echo "The password does not expire."
Else
  dtmValue = objOU.PasswordLastChanged 
  Wscript.echo "The password was last changed on " & _
  DateValue(dtmValue) & " at " & TimeValue(dtmValue) & VbCrLf & _
  "The difference between when the password was last set" & VbCrLf & _
  "and today is " & int(now - dtmValue) & " days"
  intTimeInterval = int(now - dtmValue)

  Set objDomainNT = GetObject("WinNT://ropesgray")
  intMaxPwdAge = objDomainNT.Get("MaxPasswordAge")
  If intMaxPwdAge < 0 Then
    WScript.Echo "The Maximum Password Age is set to 0 in the " & _
      "domain. Therefore, the password does not expire."
  Else
    intMaxPwdAge = (intMaxPwdAge/SEC_IN_DAY)
    Wscript.echo "The maximum password age is " & intMaxPwdAge & " days"
    If intTimeInterval >= intMaxPwdAge Then
      Wscript.echo "The password has expired."
    Else
      Wscript.echo "The password will expire on " & _
      DateValue(dtmValue + intMaxPwdAge) & " (" & _
      int((dtmValue + intMaxPwdAge) - now) & " days from today" & ")."
    End If
  End If
End If


'strUserPrincipalName = objOU.Get("userPrincipalName")
'strSAMAccountName = objOU.Get("sAMAccountName")
'strMaxPWAge = objOU.Get("manager")

'WScript.Echo strUserPrincipalName
'WScript.Echo strSAMAccountName
'WScript.Echo strMaxPWAge

Answer 1

You can use the pwdLastSet attribute to change the password expiration, but perhaps not in the way you want. pwdLastSet is the number of 100-nanosecond intervals since 12:00 am January 1, 1601. According to Microsoft documentation, this attribute accepts only two values 0 or -1.

try this :

1. Set pwdLastSet to 0, this means that the password has never been set.
2. Then, Set pwdLastSet to -1, this means that the password has just been set. So the value that appears in pwdLastSet is the current date/time.

I use to use in in W2K3 and it's still working on W2H8 R2.

You can find there a tool (sorry in french) that allow you to create date/time from number of 100-nanosecond intervals since 12:00 am January 1, 1601.

Be carefull It lengthens the password duration, which is not good for security.

I hope it helps.

JP