I am connecting to an Active Directory 2008 Domain Controller using perl Net::LDAPS and trying to set the "User must change password at next logon" account option and it's not working.
I am able to create, modify, delete, and move different objects but I am not able to get that change password setting to take!
This is what I am trying to do and it's not working:
Note: I am using a self written class wrapper for Net::LDAPS and the code below is boiled down to the bare bones of what I am trying to do.
# Binding to LDAP Directory:
$self->{LDAP_INSTANCE} = Net::LDAPS->new($host);
$self->{LDAP_INSTANCE}->bind(dn=>$dn, password=>$password, version=>3 )
my $rc =$self->{LDAP_INSTANCE}->modify(
$DN_OF_USER_ACCOUNT,
[ replace => [userAccountControl => 0x00800000] ]
);
print $rc->error; # Results in an empty string / No error
# Note: I have also tried: hex(800000) instead of 0x00800000 as well.
I am binding with a domain administrator account and I have verified that the $DN_OF_USER_ACCOUNT is correct.
The
userAccountControlattribute is a bitfield with many settings. Changing the value for the user to be0x00800000would be quite harmful since it would remove the default of0x200 ADS_UF_NORMAL_ACCOUNT.The documentation for
0x00800000is:If we look at
pwdLastSet's documentation, we see:So to expire the password, we need to set
pwdLastSetto zero. This is substantiated by a blog entry from Scripting Guy who does it in VBScript.In Perl: