WinBatch Tech Support Home

Database Search

If you can't find the information using the categories below, post a question over in our WinBatch Tech Support Forum.

TechHome

ADSI
plus

Can't find the information you are looking for here? Then leave a message over on our WinBatch Tech Support Forum.

Error 1062 Constraint Violation Setting pwdLastSet Property


Question:

I have some code so the helpdesk can extend users password expiration dates. It works fine until I try to set the new date with dsSetProperty. At this point I get the 1062 error mentioned above. Anyone have any ideas? Here is the code:
addextender("wwads34i.dll")
addextender("wwwnt34i.dll")

domain1 = "A"
domain2 = "P"
;Admin account to perform AD functions
adminln = "cn=Admin,cn=Users,dc=P,dc=com"
adminps = "password"
;Number of days before passwords expire
passexpire = 90
;Number of days left before password expires to prompt for change
threshold = 100

uname = AskLine("Need input","Please enter the account you are interested in:","")

;Set AD Credentials
dsSetCredent(adminln, adminps)

;Check for AD existence
ADPath = "LDAP://A.P.COM/ou=Users,ou=X,DC=A,DC=P,DC=com"
if !(dsIsObject(ADPath)) 
goto goodbye
endif

;Get path of Users AD account in AD
errormode(@off)
sAdsiPath = "LDAP://A.P.COM/ou=Users,ou=X,DC=A,DC=P,DC=com"
sUser = dsFindPath(sAdsiPath, "(sAMAccountName=%uname%)")
errormode(@cancel)
lasterr = lasterror()
if (lasterr != 0)
message("Error","Error #%lasterr% occured while finding the username in AD")
goto goodbye
endif


;Is User account < X days from expiration
errormode(@off)
Rlastset = dsGetProperty(sUser, "pwdLastSet")
errormode(@cancel)
lasterr = lasterror()
if (lasterr != 0)
message("Error","Error #%lasterr% occured while requesting the password expiration date from AD")
goto goodbye
endif
Rcurrenttime = TimeYmdHms()
lastset = strfixchars(Rlastset,"",10)
currenttime = strfixchars(Rcurrenttime,"",10)
timedif = TimeDiffDays(currenttime,lastset)
expire = (passexpire - timedif)
;expire = 5
expiredate = TimeAdd(Rcurrenttime,"0000:00:%expire%:00:00:00")
year = ItemExtract(1,expiredate,":")
month = ItemExtract(2,expiredate,":")
day = ItemExtract(3,expiredate,":")
if (expire > threshold)
Message("User %uname%'s","Password will expire in %expire% days, on %month%/%day%/%year%.")
goto goodbye
endif
if (expire <= threshold)
if (expire > 0) && (expire < threshold)
fix = AskYesNo("User %uname%'s","Password will expire in %expire% days, on %month%/%day%/%year%. Do you want to change the expiration date?")
endif
if (expire <= 0 )
fix = AskYesNo("User %uname%'s","Password has expired. Do you want to change the expiration date?")
endif
if fix == @NO
goto goodbye
endif
if fix == @YES
list = StrCat("15",@tab,"30",@tab,"45",@tab,"90")
A = AskItemList("Select the number of days to extend the current password", list, @tab, @sorted, @single)
addtime = "0000:00:%A%:00:00:00"
newdate = TimeAdd(expiredate,addtime)
;This line will change AD pwdLastSet variable to new value
dsSetProperty(sUser, "pwdLastSet", newdate)
newdate2 = strfixchars(newdate,"",10)
year = ItemExtract(1,newdate2,":")
month = ItemExtract(2,newdate2,":")
day = ItemExtract(3,newdate2,":")
Message("Password extended!","%uname%'s password will now expire on %month%/%day%/%year%.")
endif

:goodbye
exit 

Answer:

You can only set this property to 0 or -1 from a script. 0 forces the user to change the password next login and -1 either restores the last date or reset the date to the current time if the properly was set to 0.

The documentation for that property states:

To force a user to change their password at next logon, set the pwdLastSet attribute to zero (0). To remove this requirement, 
set the pwdLastSet attribute to -1. The pwdLastSet attribute cannnot be set to any other value except by the system.
http://msdn.microsoft.com/library/en-us/adsi/adsi/user_must_change_password_at_next_logon.asp?frame=true
Article ID:   W16311
File Created: 2005:02:18:12:19:46
Last Updated: 2005:02:18:12:19:46