By Bryan Keadle
Quick … you just discovered a security breach in your password security, or you suspect that your user passwords have been compromised somehow. What would you do? Expiring everyone’s passwords *now*, so that they’ll have to change it on their next login, would be a good step.
I’ve advocated the use of JRB Utilities (http://www.jrbsoftware.com/)for any en masse needs; it’s a powerful, must-have toolkit for being able to automate tasks and doing most anything in your tree en masse.
The above scenario is a perfect example. Here is a 2-line script that will:
1) Create a list of all user accounts that currently have password expiration dates (ped) starting at a named container and down (/x):
getrest .*.VOP ped != none /j /u /y=d /x /l=pswdexp.lst /e=none
2) For each user account listed in the pswdexp.lst (accounts having existing password expirations), set the password expiration date (ped) to today, and log successful changes to pswdexp.og and any errors to pswdexp.err:
setrest @pswdexp.lst ped today /l=pswdexp.log /e=pswdexp.err
In seconds, I’ve managed to implement this security change procedure.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.