Manually editing an AD user account expiration date?
I'd like to test a password reset product but need to have expired passwords to do so.
How can I manually set an expiration date for the password, without clicking "must change password"? (since that is technically a different workflow)
Solution 1:
Account expiration and password expiration is not the same thing.
Account expiration is a set point in time, after which the account expires - same effect as disabling an account. Authentication fails, even after the password is reset.
Password expiration is not explicitly set on the object, but occurs during authentication when the following conditions are true (the first three values are NT FileTime intervals):
maxPwdAge
> 0 && (now()
-pwdLastSet
> maxPwdAge &&
!UF_DONT_EXPIRE_PASSWORD
)
Where pwdLastSet
is the time the account password was last changed, maxPwdAge
is the Maximum Password Age in effect for the account.
When you click "must change password", the pwdLastSet
attribute is set to 0
, which means that the middle part of the above statement is true at any time after Septempter 27th 1603.
So no, it really is the exact same thing - checking "Must change password" and expiring a password manually
Solution 2:
The account expiration is stored in the accountExpires
attribute of the user's LDAP record.
There is an existing StackOverflow topic on how to modify this attribute: PowerShell Add 1 day to the AccountExpire attribute of an AD user