After further study, I've decided this cannot be done.
I tried to take advantage of the fact that the Account
Expires attribute (a 64-bit Integer8) can be read as an
Integer8 object, and also as a date. It can also be
assigned a date. If oUser is the user object, using the
Set oDate = oUser.AccountExpires
creates the oDate object, with HighPart and LowPart
methods that return the 64-bit value as two 32-bit numbers.
However, the account expiration date can be set to a
normal date value with the AccountExpirationDate method:
oUser.AccountExpirationDate = #10/01/2002#
This give me a way to convert a normal date to an Integer8
object. The problem is that I cannot assign this object to
another attribute, like PwdLastSet. I get a constraint
violation. I tried:
oUser.PwdLastSet = oDate
Set oUser.PwdLastSet = oDate
oUser.Put "PwdLastSet", oDate
So, the oUser.AccountExpires attribute (and the
oUser.PwdLastSet attribute) are probably methods that
convert the Integer8 value to a object.
Bottom line, I cannot assign any Integer8 attributes to
any values, other than 0 and -1, in VBScript. This
includes the LDAP attributes AccountExpires, PwdLastSet,
LastLogon, LastLogoff, LockoutTime, and BadPasswordTime.
>>Is it possible to set a Win2k AD user account password
>>expire on a specific date?
>In principle I think it could be done, but it would be a
>The domain has one Maximum Password Age policy that
>applies to all users (except those whose password does
>expire, or those that cannot change their password). Each
>user object has a PwdLastSet attribute, representing the
>date and time the password was last set. In principle,
>PwdLastSet + MaxPwdAge equals the date the password
>Challenge 1 is that PwdLastSet is not a replicated
>attribute, so you have to query every domain controller
>the domain for the max value. Challenge 2 is that while
>MaxPwdAge is in days, PwdLastSet is Integer8 (64-bit). I
>think VB (or C) would be required to set a value.
>If the expiration date you desire is sooner than the
>current expiration date for the user, you only have to
>a value for PwdLastSet on one domain controller. The
>would be DesiredExpirationDate - MaxPwdAge. It appears
>that Domain Administrators can set the value, but I have
>not found VBScript code that can set Integer8 values.