how do I fix the ADSI line in this script??

This topic contains 12 replies, has 5 voices, and was last updated by Profile photo of Peter Jurgens Peter Jurgens 1 year, 10 months ago.

  • Author
    Posts
  • #27617
    Profile photo of tommls
    tommls
    Participant

    I want to test a password reminder script that runs at login.
    I found this code for doing so:
    # Bind to user object in AD.
    $User = [ADSI]:"LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local"
    # Expire password immediately.
    $User.pwdLastSet = 0
    # Save change in AD.
    $User.SetInfo()

    Problem is that PS throws an error on the ADSI line.

    Unexpected token ':"LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local"' in expression or statement.
    + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : UnexpectedToken

    The original code line says:
    $User = [ADSI]:"LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com"

    It's possible I could be doing something else wrong but I thought/hope someone could take a quick look at this??
    I know I can test with group policy...but that is cumbersome etc.

    Or maybe there is another way for me to get the specific user instead of this LDAP??
    The specific user I want to test on is me BTW.

    Thank you, Tom

  • #27620
    Profile photo of Don Jones
    Don Jones
    Keymaster

    You've an unnecessary colon, as the error indicates:

    $User = [ADSI]:"LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local"
    

    Should be:

    $User = [ADSI]"LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local"
    

    There's no colon between the type accelerator [ADSI] and the string.

  • #27621
    Profile photo of Richard Siddaway
    Richard Siddaway
    Moderator

    Try

    $User = [ADSI]"LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com"

    that's without the : after [ADSI]

  • #27622
    Profile photo of Don Jones
    Don Jones
    Keymaster
  • #27624
    Profile photo of tommls
    tommls
    Participant

    OIC...now I understand to look where the red curly line STARTS for debugging. Thank you.

    Now I get

    Exception calling "SetInfo" with "0" argument(s): "A device attached to the system is not functioning.

    From what little I've read so far SetInfo is not supposed to have arguments. What device could it be talking about??

    I got the script from
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/be6745fa-87e2-44ed-8fe4-42552e16b5b7/force-password-to-expire-for-testing?forum=winserverDS

    Thank you...

  • #27626
    Profile photo of tommls
    tommls
    Participant

    Never mind, I just need to know why SetInfo() does not work??

    Denied came from having the /admin parameter, my mistake.

    Also I did not know I need to use base64 for pwdlastset, not 1.

    Why I can not do SetInfo(), I do not understand.

    Thank you, Tom

  • #27631
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    You mention in the first post you are testing a script to tell the user is about to expire. The script you posted is attempting to SET ad attributes, which pwdLastSet is read-only, see:

    https://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx

    When a password is set for an AD User, this value would be updated. Second, if you are trying to do this with a logon script, you should tread lightly. You typically do not want to have any message boxes or anything pop up during logon as this can stop the script executing until the user closes the dialog. Typically, if you want give the user a reminder that their password is expiring, you setup a re-occurring (scheduled) task that gathers the AD information for all users and if their password expires in 14, 7, 2 or 1 day then send an email with the information to the user. Additionally, depending on the client OS, there is also a balloon message that indicates the password is going to expire. You can probably find examples of password reminder scripts if you do some internet searches.

  • #27632
    Profile photo of tommls
    tommls
    Participant

    I must do this for ONE user to TEST a password change script.
    The script in this thread is not a logon script.
    Thank you, Tom

  • #27634
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    If you are setting the password, then you should look at cmdlets built for this: Set-ADAccountPassword

    While you can use ADSI, the only reason to use that method would be if Windows RSAT tools would not be installed on the system, otherwise you should use the ActiveDirectory module since most of the guess work has been taken out of the equation.

  • #27635
    Profile photo of tommls
    tommls
    Participant

    I get the sense people are not reading this well.
    I'm not setting a password, I'm wanting to set a password expiration.
    And I can not do it because I don't know how to translate int64 to decimal and vice versa. 🙂 🙂
    Plus SetInfo() errors out.

    Is there a cmdlet that does SetPasswordExpiration equal to 1 day??

    Thank you, Tom

  • #27636
    Profile photo of Rob Simmers
    Rob Simmers
    Participant

    According to what I'm seeing, you cannot set a date. Per this article, you can set the value to be -1, which is supposed to use the domain policy age. So, if it's set to 45 days, the password expiration would be set to 45 days from script execution. If you use 0, the password is set will be set to expired and the user will be required to change the password at next logon. However, this is another article that contests this indicating it cannot be done and you have to expire it immediately. Test it and let us know.

  • #27638
    Profile photo of tommls
    tommls
    Participant

    OIC!! Thank you!!
    Appears one can not change password expiry time via script.
    Though I can try making a custom group policy and apply it to a test account/OU.
    I'm trying to figure out how to see if the password change reminder script actually works without waiting 90 days, sigh.
    Thank you, Tom

  • #27671
    Profile photo of Peter Jurgens
    Peter Jurgens
    Participant

    Since you cannot change the value of the pwdlastset attribute I'd suggest changing your method of verifying that your logic in the script is correct. You have two known variables (pwdlastset of a user and the time difference that you wish to check). Therefore I'd just use the logic you are verifying and simply write a script, have it check the pwdlastset value and output the difference. Once you know the value of pwdlastset, you should know what to expect from your logic in checking the difference in time.

You must be logged in to reply to this topic.