PowerShell script to Expire all Passwords
I have been tasked with writing a Powershell script to Expire all passwords in the domain as a test. I have a test environment to use so don't worry. I haven't been able to get it to run successfully and could use some help.
I have probably botched this script pretty bad, so be kind. I'm trying to learn scripting for the first time ever.
I have probably botched this script pretty bad, so be kind. I'm trying to learn scripting for the first time ever.
<#
This script changes the "Password Expired" value (PasswordExpired) to True
#>
clear
$PEValue = $true
#$true to Expire the user password
#You cannot un-Expire a password after expiring it
$ObjFilter = "(&(objectCategory=person)(objectCategory=User))"
$objOU = New-Object System.DirectoryServices.DirectoryEntry("LDAP://OU=Users,OU=TestEnvironment,DC=mydomain,DC=com")
$objSearch = New-Object System.DirectoryServices.DirectorySearcher
$objSearch.PageSize = 15000
$objSearch.Filter = $ObjFilter
$objSearch.SearchRoot = $objOU
$objSearch.SearchScope = "Subtree"
$AllObj = $objSearch.FindAll()
foreach ($Obj in $AllObj)
{
$objItemS = $Obj.Properties
$UserN = $objItemS.name
$UserDN = $objItemS.distinguishedname
$user = [ADSI] "LDAP://$userDN"
$user.psbase.invokeSet("PasswordExpired",$PEValue)
Write-host -NoNewLine "Modifying $UserN Properties...."
$user.setinfo()
Write-host "Password has Expired!"
}ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Are you able to confirm that the attribute changed on the users your ran this against?
Open ADSIEDIT.MSC and find one of the users get the object properties and look at the userAccountControl attribute.
What does it read?
Open ADSIEDIT.MSC and find one of the users get the object properties and look at the userAccountControl attribute.
What does it read?
ASKER
The user is still 512.
$objUser = [ADSI]“LDAP://LDAP://CN=<add the users name >OU=Users,OU=TestEnvironment,DC=mydomain,DC=com"
$objUser.put(“userAccountControl”, 544)
$objUser.SetInfo()If so that you may want to confirm that the [ADSI]"LDAP:\\$USERDN" is parsing correctly.
ASKER
Okay, the ADSI ldap is parsing correctly at least. It did set it to 544. Just cannot set it to the other number.
Found this info on that setting...
ADS_UF_PASSWORD_EXPIRED
The user password has expired. This flag is created by the system using data from the password last set attribute and the domain policy. It is read-only and cannot be set. To manually set a user password as expired, use the NetUserSetInfo function with the USER_INFO_3 (usri3_password_expired member) or USER_INFO_4 (usri4_password_expired member) structure.
Guess I need to check out that function...
Found this info on that setting...
ADS_UF_PASSWORD_EXPIRED
The user password has expired. This flag is created by the system using data from the password last set attribute and the domain policy. It is read-only and cannot be set. To manually set a user password as expired, use the NetUserSetInfo function with the USER_INFO_3 (usri3_password_expired member) or USER_INFO_4 (usri4_password_expired member) structure.
Guess I need to check out that function...
Have your tried running PS as an administrator?
ASKER
Sorry, also found this article - we are in a Server 2003 domain.
In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control
http://msdn2.microsoft.com/en-us/library/ms677840.aspx
In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control
http://msdn2.microsoft.com/en-us/library/ms677840.aspx
ASKER
Yes, I am running PS as Administrator and Domain Admin, and I enabled RemoteSigned.
I changed the value in ADSI manually and when I opened it back up it set it back to 512. I am not sure I completely understand the recommendation of the previous article to use USER_INFO_4 .
I changed the value in ADSI manually and when I opened it back up it set it back to 512. I am not sure I completely understand the recommendation of the previous article to use USER_INFO_4 .
upon further testing I can change every value accept for ADS_UF_PASSWORD_EXPIRED
But I am able to make the change withing ADSIEDIT.MSC
But I am able to make the change withing ADSIEDIT.MSC
ASKER
Is is possbile to create a script to change it for all users with ADSIEDIT.msc? I'm not that familiar with scripting that.
Thank you.
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We could not get the proposed solution to work, so I decided to choose another way around it. I am sure it is possible, but we were not able to complete it.
ASKER
Get-Aduser "test" -properties PasswordExpired
Does anyone know why I can GET the PasswordExpired property with get-aduser, but there is no way to set this with set-aduser?
Thank you.