Configuring User Account Passwords
Microsoft® Windows® 2000 Scripting Guide
User account passwords provide a critical barrier against unauthorized access to computing resources. In most network environments, it is unacceptable to create user accounts without initial passwords. Doing so leaves the user account vulnerable to initial logon by an unauthorized user. After all, to log on to a domain, you only need two things: a valid user account and the password for that user account. If the account does not have a password, the unauthorized user needs only to guess the user account name to obtain network access.
Therefore, the next step in the life cycle of creating user accounts is assigning an initial password. You can assign initial passwords to user accounts immediately after creating them, and you can configure other password attributes to control whether the user will be required to change the password at initial logon.
By default, user accounts are disabled when they are created unless they are specifically enabled in the script. For information about enabling a user account object with a script, see "Enabling or Disabling a User Account" later in this chapter.
The unicodePwd attribute of each user account object contains the password. The password is an octet string stored in Unicode format and encoded with one-way format (OWF). The operating system can read the password, but you cannot use a script to decode the password to plain text. If a user forgets his or her password, there is no way for you to query the system and retrieve that password.
You can, however, use a script to set or change a password. The two methods in the IADsUser interface for assigning passwords to user accounts are SetPassword and ChangePassword. The SetPassword method is used to reset a forgotten password or to set a password immediately after a user account is created. The SetPassword method requires administrator credentials, and the method performs a replace operation.
The ChangePassword method enables users to change their password. Unlike SetPassword, ChangePassword requires the current password and a new value in order to assign a new password. This is because the ChangePassword method must perform both a delete and an add operation. The delete operation requires the current password, and the add operation requires the new password.
Table 7.3 and Table 7.4 in the following task sections contain the arguments that must be included when the SetPassword or ChangePassword method is called.
A password cannot be assigned until after you use the SetInfo method to commit a user account to Active Directory. In contrast, other user account attributes, such as the streetAddress attribute, can be stored in the local property cache before the user account is committed to Active Directory.
In contrast with Active Directory user accounts, strict password policy configured for local user accounts on Windows 2000 nondomain controllers requires that SetPassword be called prior to SetInfo.
Regardless of which password assignment method you employ in your scripts, the password you assign must comply with password policies or the script will fail. If, for example, the Minimum password length policy setting is five characters and you attempt to assign a password that is three characters long, the following error message appears:
The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.