Must create PowerShell script to change Password Expiry and Date to change next password

active-directory powershell password-management

I've been tasked with creating a script that reads in a file a list of Active Directory user IDs and then clears the flag for Password Never Expires. In addition, my security officer doesn't want the 500 users that have this setting to have their password immediately have to be reset, so he wanted the default Domain Policy of 90 days to be attributed at the time that the script is ran, so the user falls into the usual password rotation.

I've been trying to create a PowerShell script to do just that and am running into issues. Admittedly, I'm not the best at PowerShell so I'd appreciate some input.

I've got the flag to clear, but changing the PwdLastSet to -1 is proving to be tricky. I think it might be because I don't know how to read in a file and do two "ForEach-Object" commands from reading in a file. Could someone please look?

Import-CSV PasswordExpiry.csv | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$false}

ForEach-Object {  
 $samaccountname = $_.SamAccountName  
  $today = Get-Date  

  $lastchange = [datetime]::FromFileTime($_.pwdlastset[0])  

  $timediff = New-TimeSpan $lastchange $(Get-Date)  

      $hoursdiff = $timediff.TotalHours  

  if ($hoursdiff -lt $hourschange_sincePwdChange) {  
    $todouser = Get-ADUser $samaccountname -Properties pwdLastSet  

    $todouser.pwdLastSet = 0  
    Set-ADUser -Instance $todouser  

    $todouser.pwdLastSet = -1  
    Set-ADUser -Instance $todouser  

          }  

}

I get several positional parameter errors saying that it cannot accept the argument $null, but I'm not sure where I'm wrong.


AD will not let you change the date a password was last reset, except to 0 (which will force a password change at next login). To do that, you can't set the PwdLastSet manually, you have to use something like the following snippet:

Set-ADUser -Identity JoeBlow -ChangePasswordAtNextLogon $true

Give up, because you cannot (directly) modify the pwdLastSet attribute of a user. That attribute may only be set by the System (the Directory Services Engine) itself. (ERROR_DS_ATTRIBUTE_OWNED_BY_SAM)

See Microsoft doc MS-ADTS for more information.


I was able to accomplish this with the following:

Import-Module ActiveDirectory

$ADUserParams=@{ 
'Searchbase' = 'OU=Users,OU=Testing,OU=IT,OU=XXX,DC=XXX,DC=local' 
'Filter' = '*' 
'Properties' = 'cn','sn','givenname','displayName','mail','description','UserPrincipalName', 'employeeNumber', 'profilepath', 'title' 
}

$ADUsers = Get-ADUser @ADUserParams 
ForEach ($ADUser in $ADUsers) { 
    $ADUser = Get-ADUser $ADUser -properties pwdlastset 
    $ADUser.pwdlastset = 0 
    Set-ADUser -Instance $ADUser 
    $ADUser.pwdlastset = -1 
    Set-ADUser -instance $ADUser 
}

Taken from here

Related

nginx as load balancer: Can it return to the client which app server the request was sent to?
Which E-Mail software generates these spammy mails?
Cannot remove mount option "discard" on an ext4 file system
New implementation of home and department shares; help me get it right the first time?
How Do I Reach Local Subnet Behind Tinc VPN
How can I find out the storage type of an EC2 instance's root volume (SSD vs. magnetic)?
Adding an Active Directory to a computer-local group - which scope to choose?
Can NFS server limit the amount of disk space that the NFS client can use?
What happens to a daemon without a "K" link in /etc/rcX.d/
Postfix rejects an outgoing email with multiple destinations due to one invalid address
Broken RabbitMQ cluster wont 'restart
Nginx / PHP-FPM = Blank pages