windows - ADSI 是否可以用于为首次登录需要更改的 Windows 帐户设置密码

Question

我有这个 PowerShell 脚本的修改版本:https://social.technet.microsoft.com/Forums/scriptcenter/en-US/355d9293-e324-4f60-8eed-18bcc6d67fc0/adsiwinntcomputeradministratoruser-with-alternate-credentials?forum=ITCG

当尝试更改具有首次登录要求的帐户的密码时失败(我可以使用 ctrl+alt+del 提示手动更改密码，但将经常运行它以对图像进行 VM 测试)。重要的部分是:

Invoke-Command -ComputerName $ComputerName -Credential $Credential -ErrorVariable e -ArgumentList $ComputerName,$NewPassword,$User -ScriptBlock {
            Param($ComputerName,$NewPassword,$User)
            $Account = [ADSI]"WinNT://$ComputerName/$User,user"
            $Account.PwdLastSet = 0
            $Account.SetInfo()
            $Account.SetPassword($NewPassword)
            $Account.SetInfo()
            $e
        }

当我为一个不需要在首次登录时进行更改的帐户运行此命令时，它会成功完成:

> Change-LocalPassword -User 'TestAccount' -Credential $wincred -OldPassword $OP -NewPassword $NP -ComputerName $computerName
Info::Change-LocalPassword::Changing password from <old> to <new>
Info::Change-LocalPassword::Service WinRM is already running on Localhost
Info::Change-LocalPassword::Trusted Hosts Value is: <computer>
Info::Change-LocalPassword Invoking Command: [adsi]WinNT://<computer>/TestAccount,user
True

运行需要首次登录的账户时:

Change-LocalPassword -User $Config.win_user -Credential $wincred -OldPassword $Config.winog_passwd -NewPassword $Config.win_passwd -ComputerName $computerName
Info::Change-LocalPassword::Changing password from <old> to <new>
Info::Change-LocalPassword::Service WinRM is already running on Localhost
Info::Change-LocalPassword::Trusted Hosts Value is: <computer>
Info::Change-LocalPassword Invoking Command: [adsi]WinNT://<computer>/<user>,user
[computer] Connecting to remote server <computer> failed with the following error message : Access is denied. For more information, see
the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (<computer>:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
-Message Error::Change-LocalPassword::Could not set password for <user> on <computer> [computer] Connecting to remote server <computer> failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic.
False

本地管理员帐户是机器上唯一的帐户，并且未加入域。有没有其他人遇到过这个并确定了解决方案？

Answer 1

添加密码永不过期用户标志:

$Account = [ADSI]"WinNT://$ComputerName/$User,user"
        $Account.UserFlags = 65536
        $Account.PwdLastSet = 0
        $Account.SetInfo()
        $Account.SetPassword($NewPassword)
        $Account.SetInfo()

如果您还想添加“用户无法更改密码”，请用这一行替换上面的行:

$Account.UserFlags = 64 + 65536