I wrote a simple script to aid users moving to a new password policy, users were put on a policy which would expire a password after a day. Once they had changed their password the policy is amended to the new policy. I now use this for forcing password resets. Replace
-- ============================================= -- Author: Christopher Smith -- Create date: 18/07/2018 -- Description: Implement the new password policy in stages. -- 1. Change the password policy first to enforce a password change in a short time period -- 2. Backup and truncate the table [csmaster].[scheme].[pwdhistm] -- 3. Run this routine nightly, it will pickup users who have changed their password and set the new policy -- ============================================= -- Change Log: -- 1.0 - 18/07/2018 - First Version -- ============================================= -- exec dbo.usp_SageImplementPWPolicy -- exec [dbo].[usp_ForceSagePWChange] 'csmithte' -- ============================================= CREATE PROCEDURE [dbo].[usp_SageImplementPWPolicy] AS BEGIN SET NOCOUNT ON; -- ============================================= print 'Declare Variables and setup' -- ============================================= declare @spdate1 date declare @spdate2 int declare @secgroup char(3) declare @oldsecgroup char(4) -- Set variable to 2 days ago set @spdate1 = CAST(GETDATE() as date) print @spdate1 -- Convert the date to one which matches the Sage table set @spdate2 = DATEDIFF(d,'01 jan 1900',@spdate1) print 'Sage Date Code for Today' print @spdate2 print 'New user security group' set @secgroup = '' set @oldsecgroup = ' ' print @secgroup print @oldsecgroup -- ============================================= print 'Populate working table' -- ============================================= select t1.name, dateadd(d,t2."setup",'01 jan 1900') as pw_date, t1.sec_group, 'NO ' as pw_changed into #pwworking from scheme.[usermastm](nolock) t1 INNER JOIN scheme.passexpm(nolock) t2 on t1.name = t2.user_id where t1.sec_group = @oldsecgroup select * from #pwworking -- ============================================= print 'Check if password recently changed' -- ============================================= update #pwworking set pw_changed = 'YES' where name IN (select "username" from [csmaster].[scheme].[pwdhistm] group by "username") select * from #pwworking -- ============================================= print 'Change security group for those who have a new password on the new policy' -- ============================================= update scheme.[usermastm] set sec_group = @secgroup where name IN (select name from #pwworking where pw_changed = 'YES') drop table #pwworking END GO
Below is the code used to force users to enter a new password upon login
USE [csmaster] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE procedure [dbo].[usp_ForceSagePWChange] @user char(8) --EXEC usp_ForceSagePWChange '' AS --IF @user = 'ALL' GOTO ALLUSERS --IF @user != 'ALL' GOTO SINGLEUSER BEGIN /*ALLUSERS: update scheme.passexpm set setup = '10001' GOTO FINISH SINGLEUSER:*/ update csmaster.scheme.passexpm set setup = '10001' where user_id = @user update csmaster.[scheme].[usermastm] set [sec_group] = ' ' where name = @user GOTO FINISH FINISH: END