how can i configure active directory to make passwords expire at midnight?
I don't believe that is possible without manually changing the PwdLastSet
attribute within ADSI Edit, which I wouldn't recommend doing.
The value is stored in 100-nanosecond intervals since 12:00 am January 1, 1601. However, your only options to edit the attribute are to set it to 0
(password is now expired and user must reset), or -1
(value for PwdLastSet is changed to the current date/time).
As mentioned in comments, you would need to set the value to 0
first, then set it to -1
.
You could potentially write a script to update the attribute to -1
at midnight on a given day for all users. However, this would set all your user's passwords to expire @ midnight in N days (N being your domain password policy max age setting). This could potentially extend the max age of a password.
What is your goal in setting the password to expire at midnight?
Windows simply doesn't support the concept of a "password expiry time" that applies globally. You also cannot set the time, except to say it is expired now, or that it was just changed. However, what you could do is write a script using command-line AD tools or powershell that runs nightly: it can query AD for users with passwords due to expire in less than 24h (pwdLastSet is older than one day less than your password max age days), and set it to -1 (the password is expired). This would avoid extending password life unintentionally, and also avoid midday password expiration.
There are also third-party tools that can do this kind of thing for you. For instance, one feature of Hitachi ID Password Manager allows you to pop up a web browser in which the user must change their password or else be logged out, and you can set this to happen an arbitrary number of days in advance of the actual expiration.