ADMT: Auto-Expired Password Clean-Up

I’m using Microsoft’s Active Directory Migration Tool to migrate users from an NT 4.0 Domain to a Win2k3 Domain. The process seems mostly flawless so far except that the password settings (not the password itself) are lost after migrating the users and their passwords. Suddenly, all migrated users on the new domain have expired passwords and are thus required to enter in a new password after their first successful login on the new domain. This new requirement does not comply with our old policy so I’ve written a VBS script to address the issue.

Below is a script that goes through each of the accounts on the new domain and, if the account is not disabled, sets the password to never expire and it also unchecks the box that declares “User Must Change Password at Next Login.”

Set objDomain= GetObject("WinNT://newdomain")
objDomain.Filter = Array("User")
For Each User In objDomain
If User.Accountdisabled = 0 then
User.PasswordExpired = 0
User.Put "UserFlags", Flags OR &H10000
End if
Set objDomain = Nothing

Chrissy is a Cloud and Datacenter Management & Data Platform MVP who has worked in IT for over 20 years. She is the creator of the popular SQL PowerShell module dbatools, holds a master's degree in Systems Engineering and is coauthor of Learn dbatools in a Month of Lunches. Chrissy is certified in SQL Server, Linux, SharePoint and network security. You can follow her on Twitter at @cl.

Posted in Active Directory
6 comments on “ADMT: Auto-Expired Password Clean-Up
  1. Miky says:

    I’m happy to meet you.

    This script, unchecks the box “User Must Change Password at Next Login” but all the others too.

    And i would like to know:

    How avoid this problem?

    Thanks a lot.


  2. Miky says:

    I have forgotten: except the box “Password never expire”



  3. Miky says:

    Congratulation for this script !!!


  4. Chrissy says:

    I’m not sure why that’s happening. If you go line by line it says

    For each user on the domain…
    If the user account is not disabled
    Set the passsword to unexpired
    Set password to never expire
    end if

    What OS are you using?

  5. Miky says:

    Hi Chrissy,

    Hello, my OS is Windows Serveur 2003, and the application is targeted on a user group. The principle is to unchecked the box “password never expires” of some users contained in a group.



  6. Arlys says:

    Thanks for the script, it was helpfull for me.

Leave a Reply

Your email address will not be published. Required fields are marked *