How do I write a script to modify the password expiration values for users on a Windows Server?

Asked 28/1, 2011 at 2:23 Answered 19/11, 2019 at 15:23

windows scripting powershell powershell-2.0 windows-server-2008-r2

I need to create several users on Windows 2008 servers and modify the password expiration value to "Never". These will be local (not AD) users. I can create them using "net user", it's modifying the pass expiry that is killing me. If I do a "net user username" it lists the field and its value, but there is no switch (at least not one that the help file references) to modify it, and most of the solutions I saw online suggested installing 3rd party tools, however this solution must be native to Windows (ideally using Powershell). Any help is appreciated.

UPDATE

I said if I figured out how to do this in Powershell I would post it here, and I am a man of my word.

Get-WmiObject -Class Win32_UserAccount -Filter "name = 'steve'" | Set-WmiInstance -Argument @{PasswordExpires = 0}

This is a boolean value so if you wanted to set a password to expire just change 0 to 1. This is beautiful to me in its simplicity, and I have tested this method updating other WMI objects and it works every time.

Aden answered 28/1, 2011 at 2:23 Comment(2)

Do you need a script to do this, or do you just need to do this once? – Teresaterese 28/1, 2011 at 2:27

This is a perfectly valid question, and considering you want to do it with a script, would be nonsensical to migrate to Super User. I modified the title a little to help make your question clearer. +1 from me. – Elephantine 28/1, 2011 at 4:52

The simple solution is to create a batch file that issues the following command:

net accounts /maxpwage:unlimited

However, that will set the maximum password age for all accounts on the local machine to unlimited, not just the new accounts that you have created.

If you need a finer level of control (i.e., the ability to set the password expiration values for individual users), you'll need something a little more complicated. The Scripting Guys share an example of a VBScript that will modify a local user account so that its password never expires:

Const ADS_UF_DONT_EXPIRE_PASSWD = &h10000 

strDomainOrWorkgroup = "Fabrikam" 
strComputer = "atl-win2k-01" 
strUser = "KenMeyer" 

Set objUser = GetObject("WinNT://" & strDomainOrWorkgroup & "/" & _ 
    strComputer & "/" & strUser & ",User") 

objUserFlags = objUser.Get("UserFlags") 
objPasswordExpirationFlag = objUserFlags OR ADS_UF_DONT_EXPIRE_PASSWD 
objUser.Put "userFlags", objPasswordExpirationFlag  
objUser.SetInfo

It would be easy to modify this to work for any user of your choice, or even to create a new user.

Finally, here's an example in C#, which you should be able to port to PowerShell. I'm not much of a PS expert, but considering it uses the .NET Framework, the above code should give you some ideas.

Elephantine answered 28/1, 2011 at 4:41 Comment(1)

Thx, I will look at these solutions. This is for a script, I am trying to completely automate application server setup for a webfarm, and there are a few pieces that I haven't been able to figure out how to easily script (like this one)...If I figure out how to convert the C# to powershell I will post that here as well (these scripts are all written in powershell). Thx again, FYI I love the Scripting Guys... – Aden 28/1, 2011 at 17:55

From this technet thread.

$computer = $env:Computername
$account = ([adsi]"WinNT://$computer/TestAccount")
$account.PasswordExpired = 1
$account.psbase.commitchanges()

You can add the domain before the computer name if you need to.

Tiepolo answered 28/1, 2011 at 22:9 Comment(2)

Nice. I don't use WMI all that much, so I didn't think to look there. – Tiepolo 25/2, 2011 at 18:48

Forgot to mention...your script above set the actual expired flag, not the willexpire flag. But thx for the help anyway... – Aden 3/3, 2011 at 15:27

Set password never expires for local user. Do not change other flags:

$ADS_UF_DONT_EXPIRE_PASSWD = 0x10000

$username = 'user'
$user = [adsi] "WinNT://./$username"
$user.UserFlags = $user.UserFlags[0] -bor $ADS_UF_DONT_EXPIRE_PASSWD
$user.SetInfo()

ADS_USER_FLAG_ENUM enumeration

Meredithmeredithe answered 7/12, 2016 at 11:52 Comment(0)

works for me:

WMIC USERACCOUNT WHERE "Name='ftpuser'" SET PasswordExpires=FALSE

replace ftpuser with correct user name

Osmunda answered 19/11, 2019 at 15:23 Comment(0)

The other solutions weren't working for me so I tweaked Jason's solution to:

$svrname = $env:computername
$user = ([adsi]"WinNT://$svrname/Administrator")
$user.userflags = 66049
$user.psbase.commitchanges()

The userflags value determines what tickboxes are checked for the user - this one is a basic "password doesn't expire" value. Can't seem to work out how it the numbers go together, the below may be useful but according to that I've got a reserved value enabled which doesn't make sense.

http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

Instead I just enabled the options I needed on a test box and retrieved the value. Is the most reliable means of determining what you need I guess.

Bailee answered 22/1, 2015 at 15:25 Comment(0)

I took Deadly-Bagel's solution and it didn't work, until I made a small change. See below:

$svrname = $env:computername
$user = ([adsi]"WinNT://$svrname/Administrator")
$user.psbase.InvokeSet("userflags", 66049)
$user.psbase.commitchanges()

Sprit answered 4/2, 2016 at 16:53 Comment(0)

Recommended topics

Hot tags