ADMT: Auto-Expired Password Clean-Up

I’m using Microsoft’s Active Directory Migration Tool to migrate users from an NT 4.0 Domain to a Win2k3 Domain. The process seems mostly flawless so far except that the password settings (not the password itself) are lost after migrating the users and their passwords. Suddenly, all migrated users on the new domain have expired passwords and are thus required to enter in a new password after their first successful login on the new domain. This new requirement does not comply with our old policy so I’ve written a VBS script to address the issue.

Below is a script that goes through each of the accounts on the new domain and, if the account is not disabled, sets the password to never expire and it also unchecks the box that declares “User Must Change Password at Next Login.”

Set objDomain= GetObject("WinNT://newdomain")
objDomain.Filter = Array("User")
For Each User In objDomain
If User.Accountdisabled = 0 then
User.PasswordExpired = 0
User.Put "UserFlags", Flags OR &H10000
End if
Set objDomain = Nothing

Chrissy is a PowerShell MVP who has worked in IT for nearly 20 years, and currently serves as a Sr. Database Engineer in Belgium. Always an avid scripter, she attended the Monad session at Microsoft’s Professional Developers Conference in Los Angeles back in 2005 and has worked and played with PowerShell ever since. Chrissy is currently pursuing an MS in Systems Engineering at Regis University and helps maintain in her spare time. She holds a number of certifications, including those relating to SQL Server, SuSE Linux, SharePoint and network security. She recently became co-lead of the SQL PASS PowerShell Virtual Chapter. You can follow her on Twitter at @cl.

Posted in Active Directory
6 comments on “ADMT: Auto-Expired Password Clean-Up
  1. Miky says:

    I’m happy to meet you.

    This script, unchecks the box “User Must Change Password at Next Login” but all the others too.

    And i would like to know:

    How avoid this problem?

    Thanks a lot.


  2. Miky says:

    I have forgotten: except the box “Password never expire”



  3. Miky says:

    Congratulation for this script !!!


  4. Chrissy says:

    I’m not sure why that’s happening. If you go line by line it says

    For each user on the domain…
    If the user account is not disabled
    Set the passsword to unexpired
    Set password to never expire
    end if

    What OS are you using?

  5. Miky says:

    Hi Chrissy,

    Hello, my OS is Windows Serveur 2003, and the application is targeted on a user group. The principle is to unchecked the box “password never expires” of some users contained in a group.



  6. Arlys says:

    Thanks for the script, it was helpfull for me.

Leave a Reply

Your email address will not be published. Required fields are marked *