2 Replies Latest reply on Apr 9, 2015 8:32 AM by Greg Wojan

    Compliance rule: Password never expires” = unchecked (win2012)

    himanshu sangwan

      Hi All,

       

       

      I want to create an compliance rule which will

      1) check the Password Never Expire” field as unchecked always for all the existing user

      2)  check the Password Never Expire” field as unchecked always for built-in local admin account (Administrator)

       

      The main objective is to automate: Unchecking “Password Never Expire” property check box on the built-in local admin account (Administrator)

      Unchecking will trigger password expiry & password reset may be needed as well to reset the counter.


      I don`t find  OOTB compliance rule in 8.5 SP1 as well.


      Can you suggest me how to create this rule if possible without creating EO

       

      Thanks

      Hsangwan

        • 1. Re: Compliance rule: Password never expires” = unchecked (win2012)
          Bill Robinson

          i believe this is part of the 'control flags' attribute and not explicitly exposed.  we should have an idea to expose each of the attributes for the user if they are not explicitly exposed already

          • 2. Re: Compliance rule: Password never expires” = unchecked (win2012)
            Greg Wojan

            We are currently building an Operational Compliance template and encountered this same exact problem. In our environment the local Administrator account may have been renamed as well. I wrote this script in PowerShell that unchecks the "Password never expires" checkbox, resets the password age and then unchecks the "User must change password at next logon".

             

            I broke as much as I could into reusable functions and there is no error handling but you'll get the general idea. The two calls at the very end do all the work.

             

            function Get-LocalAdminSid

            {

                $adsi = [ADSI]"WinNT://$env:COMPUTERNAME"

                $adsi.PSBase.Children | Where-Object {$_.schemaClassName -match "user"} | ForEach-Object {

                    $account = New-Object Security.Principal.NTAccount $_.name

                    $account.Translate("Security.Principal.Securityidentifier").Value

                } | Where-Object { $_ -match '-500$' }

            }

             

            function Get-NTAccountNameFromSid

            {

                Param

                (

                    $sid

                )

                $id = New-Object System.Security.Principal.SecurityIdentifier $sid

                $account = $id.Translate("System.Security.Principal.NTAccount")

             

             

                Split-Path -Leaf $account

            }

             

            function Get-LocalAdminAccountName

            {

                Get-NTAccountNameFromSid(Get-LocalAdminSid)

            }

             

            function Set-PasswordAge

            {

                $user = [ADSI]"WinNT://$env:COMPUTERNAME/$(Get-LocalAdminAccountName)"

             

             

                $user.PasswordAge[0] = 0

                $user.SetInfo()  

            }

             

            function UnsetAdminPWDoesNotExpire

            {

                $user = [ADSI]"WinNT://$env:COMPUTERNAME/$(Get-LocalAdminAccountName)"

             

             

                $userFlags = $user.Get("UserFlags")

                if ($userFlags -band 0x10000)

                {

                    $user.Put("UserFlags", $userFlags - 0x10000)

                    $user.SetInfo()

                }

            }

             

            function UnsetAdminPWIsExpired

            {

                $user = [ADSI]"WinNT://$env:COMPUTERNAME/$(Get-LocalAdminAccountName)"

             

             

                $pwExpired = $user.Get("PasswordExpired")

                if ($pwExpired)

                {

                    $user.PasswordAge[0] = 0

                    $user.SetInfo()  

             

             

                    $user.PSBase.InvokeSet("PasswordExpired", 0)

                    $user.SetInfo()

                }

            }

             

             

            UnsetAdminPWDoesNotExpire

            UnsetAdminPWIsExpired