I wrote a simple script to aid users moving to a new password policy, users were put on a policy which would expire a password after a day. Once they had changed their password the policy is amended to the new policy. I now use this for forcing password resets. Replace
-- =============================================
-- Author: Christopher Smith
-- Create date: 18/07/2018
-- Description: Implement the new password policy in stages.
-- 1. Change the password policy first to enforce a password change in a short time period
-- 2. Backup and truncate the table [csmaster].[scheme].[pwdhistm]
-- 3. Run this routine nightly, it will pickup users who have changed their password and set the new policy
-- =============================================
-- Change Log:
-- 1.0 - 18/07/2018 - First Version
-- =============================================
-- exec dbo.usp_SageImplementPWPolicy
-- exec [dbo].[usp_ForceSagePWChange] 'csmithte'
-- =============================================
CREATE PROCEDURE [dbo].[usp_SageImplementPWPolicy]
AS
BEGIN
SET NOCOUNT ON;
-- =============================================
print 'Declare Variables and setup'
-- =============================================
declare @spdate1 date
declare @spdate2 int
declare @secgroup char(3)
declare @oldsecgroup char(4)
-- Set variable to 2 days ago
set @spdate1 = CAST(GETDATE() as date)
print @spdate1
-- Convert the date to one which matches the Sage table
set @spdate2 = DATEDIFF(d,'01 jan 1900',@spdate1)
print 'Sage Date Code for Today'
print @spdate2
print 'New user security group'
set @secgroup = ''
set @oldsecgroup = ''
print @secgroup
print @oldsecgroup
-- =============================================
print 'Populate working table'
-- =============================================
select t1.name, dateadd(d,t2."setup",'01 jan 1900') as pw_date, t1.sec_group, 'NO ' as pw_changed into #pwworking
from scheme.[usermastm](nolock) t1
INNER JOIN scheme.passexpm(nolock) t2
on t1.name = t2.user_id
where t1.sec_group = @oldsecgroup
select * from #pwworking
-- =============================================
print 'Check if password recently changed'
-- =============================================
update #pwworking
set pw_changed = 'YES'
where name IN
(select "username" from [csmaster].[scheme].[pwdhistm] group by "username")
select * from #pwworking
-- =============================================
print 'Change security group for those who have a new password on the new policy'
-- =============================================
update scheme.[usermastm]
set sec_group = @secgroup
where name IN (select name from #pwworking where pw_changed = 'YES')
drop table #pwworking
END
GO Below is the code used to force users to enter a new password upon login
USE [csmaster] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE procedure [dbo].[usp_ForceSagePWChange] @user char(8) --EXEC usp_ForceSagePWChange '' AS --IF @user = 'ALL' GOTO ALLUSERS --IF @user != 'ALL' GOTO SINGLEUSER BEGIN /*ALLUSERS: update scheme.passexpm set setup = '10001' GOTO FINISH SINGLEUSER:*/ update csmaster.scheme.passexpm set setup = '10001' where user_id = @user update csmaster.[scheme].[usermastm] set [sec_group] = ' ' where name = @user GOTO FINISH FINISH: END