Solved

How to make a password expire now?

Posted on 2010-08-24
5
899 Views
Last Modified: 2012-05-10
Hi experts!

I know how to reset a password and force the user to change his password at next logon. This is NOT what I am looking for here.

For testing purposes I need to make a single domain user account's password expire at a given time without changing the whole password policy. Is there a way?
The net user /expire switch is not meant for passwords but for accounts.

The domain functional level is 2008 if of interest, so PSOs could be one solution. Any other solution?
0
Comment
Question by:McKnife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 39

Assisted Solution

by:Krzysztof Pytko
Krzysztof Pytko earned 150 total points
ID: 33509125
The most simple way is the PSO. It is not so simple modifing password expires stamp in user's object.
0
 
LVL 7

Assisted Solution

by:gnegrota
gnegrota earned 150 total points
ID: 33509344
0
 
LVL 85

Accepted Solution

by:
oBdA earned 200 total points
ID: 33509403
PSOs are actually the only solution (unless you create a scheduled task that sets the password to "expired" on a certain date, but that's sort of "cheating", at least if you want to test the password policy).
The password expiration date is calculated dynamically based on the PwdLastSet AD attribute and maxPwdAge. For security reasons, only System is allowed to change PwdLastSet to an actual date; the only changes allowed when programmatically changing this attribute are 0 (password expired, user must change it) and -1 (password set today, user is not required to change it).
0
 
LVL 55

Author Comment

by:McKnife
ID: 33509486
The vbscript could be interesting, however, the window title is password reset script - what does it do? After finding the test user, it says "User found: choose which one to reset pw to default"
1. testuser

If I choose 1, it simply starts over and the attribute password last set doews not change - is this expected? Did you ever use this script yourself?
0
 
LVL 55

Author Comment

by:McKnife
ID: 33509902
You know what?
Nevermind.

The PSO solution is ok and to be honest, not until writing down the question, I came up with the same thought that's why it appears late in the final sentence.

I will divide the points.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question