Expiring Passwords En Masse


By Bryan Keadle


Quick ... you just discovered a security breach in your password security, or you suspect that your user passwords have been compromised somehow. What would you do? Expiring everyone's passwords *now*, so that they'll have to change it on their next login, would be a good step.


I've advocated the use of JRB Utilities (http://www.jrbsoftware.com/)for any en masse needs; it's a powerful, must-have toolkit for being able to automate tasks and doing most anything in your tree en masse.

The above scenario is a perfect example. Here is a 2-line script that will:

1) Create a list of all user accounts that currently have password expiration dates (ped) starting at a named container and down (/x):

getrest .*.VOP ped != none /j /u /y=d /x /l=pswdexp.lst /e=none

2) For each user account listed in the pswdexp.lst (accounts having existing password expirations), set the password expiration date (ped) to today, and log successful changes to pswdexp.og and any errors to pswdexp.err:

setrest @pswdexp.lst ped today /l=pswdexp.log /e=pswdexp.err

In seconds, I've managed to implement this security change procedure.


How To-Best Practice
Comment List