I may also have a request to capture the code to and from AD during this process - more on the steps to do this shortly.I give you my word that this is to be kept between you, me and one Escalation Engineer I know who is helping me figure out how we can best get your script functional without breaking anything. Re: the capture request - I just need the section of code (your Perl script) that handles the AD password stuff.
I'm not sure you can force it to anything else, but I will attempt to find out for you. You should notice that a number of things actually change: 4 d BCSPwd 4 unicode Pwd 4 nt Pwd History 4 pwd Last Set 4 supplemental Credentials 4 lm Pwd History I think the source of this operation is in user.c and calls (perhaps) Sam Ds Set Password to do the dirty work.
If this isn't somehow changed, then the password would expire per the Password policy on the domain as if it was never changed. You may or may not get this working as expected, and maybe just the unicode Pwd and pwd Last Set are all that's really important - but I just wanted you to see for yourself that a password reset using normal methods does more than meets the eye.
We have written a simple perl script which binds to a AD domain controller and allows AD users to reset their password across multiple systems through one simple interface (Unix, LDAP etc.).
The script modifies the unicode Pwd attribute in active directory and we've successfully tested that indeed the user account password does change.
So, they simply come to work, no warning, no announcement, no notice and try to login and their computer tells them their password is expired change it now.
OK, so it is not a huge issue but for some organizations it is one to avoid. It is taking the value in an attribute on the user object called pwdlastset and comparing that to the maxpasswordage applied to that user. If you haven’t seen this yet, that number represents the number of 100 ms ticks since January 1 [datetime]:: From File Time($user.pwdlastset)Friday, February 27, 2015 AMCool right?
If it wouldn't be too much to ask, can you get a Repadmin output as above on a user account before and then directly after you run your script against it?
I'd like to compare the two so I can see what happens with your script.
Now, with repect to stuffing the pwd Last Set attribute; if you could manage to convert the current date/time to long integer and feed that to the attribute that should work.