Powershell : Force Password change for group members

Hi EE

We do not have a global password change policy in our domain for various reasons but have then need to force 20k or so users to change their password every 90 days. We currently have a vbs script task that checks for members of a certain group and if they have not change their password in 90 days , it prompts them to change it.

Has anyone set this up with a Powershell script ? so the script checks the members of a group and if they have not changed their password in 90 days , it forces the password change.
LVL 2
MilesLoganAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
I'll try to test in my lab and come up with something after the family goes to bed.

However, is your domain fucntional level at 2008?  If so you can use fine grained password policies and have a policy (PSO) apply to just a group.  It is not all or nothing like it was in 2003/2000.

Thanks

Mike
0
MilesLoganAuthor Commented:
Thanks Mike .. I wish .. We have a way to go to get to functional level 2008 , still at 2003
0
VirastaRUC Tech Consultant Commented:
Hi,

Check this...

Active Directory Management with PowerShell in Windows Server 2008 R2
https://www.simple-talk.com/content/print.aspx?article=868

Set-ADDefaultDomainPasswordPolicy
http://technet.microsoft.com/en-us/library/ee617251.aspx

Hope that helps  :)
0
Newly released Acronis True Image 2019

In announcing the release of the 15th Anniversary Edition of Acronis True Image 2019, the company revealed that its artificial intelligence-based anti-ransomware technology – stopped more than 200,000 ransomware attacks on 150,000 customers last year.

SubsunCommented:
Using password policies are the recommended and flawless option. But If you want to do it using PowerShell you need to schedule script to check the user on daily (or as per your requirement).. With quest AD tools, it's quiet simple..

Try something like..

Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90 | Set-QADUser -UserMustChangePassword $true

Open in new window

0
MilesLoganAuthor Commented:
awesome .. thanks Subsun .. would it be too difficult to add the options below?

-if the account has the "password never expires" flag selected so it un checks it first?

-Script outputs a daily report of the samAccount that was forced to change the pwd?
0
SubsunCommented:
Try...
$Users = Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90 -PasswordNeverExpires:$false
If ($Users -ne $null){
	$Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog-$(Get-date -f dd-MM-yyy).csv" -NTI
	$Users | Set-QADUser -UserMustChangePassword $true
}

Open in new window

0
SubsunCommented:
I didn't read..
-if the account has the "password never expires" flag selected so it un checks it first?

Check this...
$Users = Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90
If ($Users -ne $null){
	$Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog-$(Get-date -f dd-MM-yyy).csv" -NTI
	$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
	$Users | Set-QADUser -UserMustChangePassword $true
}

Open in new window

0
MilesLoganAuthor Commented:
Hi Subsun ...

-if the account has the "password never expires" flag selected so it un checks it first?
yes .. it needs to uncheck it first or it wont work .
0
SubsunCommented:
Did you check my last code? it should work as expected...
0
MilesLoganAuthor Commented:
Hi Subsun .. It works great but if the password never expires option is checked , it does not uncheck it and forces the password change.. All other options work great !

I tried this and it did not work on accounts that had the option checked ..

$Users = Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90
If ($Users -ne $null){
      $Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog-$(Get-date -f dd-MM-yyy).csv" -NTI
      $Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
      $Users | Set-QADUser -UserMustChangePassword $true
}
0
SubsunCommented:
Following line should take care of it..

$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false

Open in new window


I just tested and it did uncheck the PasswordNeverExpires option..

Can you run the command against one user and see if it works?

Get-QADUser UserA | Set-QADUser -PasswordNeverExpires $false

Open in new window

0
MilesLoganAuthor Commented:
hi Subsun ..

This works by itself  on one account ..
Get-QADUser UserA | Set-QADUser -PasswordNeverExpires $false


but when in the script ..it does not .. it skips those accounts that have the PasswordNeverExpires option checked ..

$Users = Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90
If ($Users -ne $null){
      $Users | Select SamAccountName,Name,lastLogonTimestamp,PasswordLastSet | Export-Csv "e:\Projects\90\PasswordChangelog-$(Get-date -f dd-MM-yyy).csv" -NTI
      $Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
      $Users | Set-QADUser -UserMustChangePassword $true
}
0
SubsunCommented:
Does the PasswordChangelog contains those users?
0
MilesLoganAuthor Commented:
No , the log only contains the users it modified .
0
SubsunCommented:
That means the following code is not pulling the users who set PasswordNeverExpires as $True
Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90

What you get for..
Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90 | ?{$_.PasswordNeverExpires -eq $True} 

Open in new window

0
MilesLoganAuthor Commented:
Hi SubSun

Correct .. below does not work ..

Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90 | ?{$_.PasswordNeverExpires -eq $True}
0
SubsunCommented:
Check PasswordLastSet time for the accounts and see if they are 90 days old...
Get-QADUser -MemberOf "Test5" | ?{$_.PasswordNeverExpires -eq $True} | Select Name,PasswordLastSet

Open in new window

0
MilesLoganAuthor Commented:
They are .. these accounts have not changed the pwd since 2008 ...

How about if we disregard the Password age and just set it so that the script checks every account in the group and unchecks the PasswordNeverExpires option if its checked ?
0
MilesLoganAuthor Commented:
This does work ..

Get-QADUser -MemberOf "Test5" | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
0
SubsunCommented:
That will not check the password age..

Try this..
$Users = Get-QADUser -MemberOf "Your Group" | ?{$_.PasswordLastSet -le (Get-Date).Adddays(-90)}
If ($Users -ne $null){
	$Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog-$(Get-date -f dd-MM-yyy).csv" -NTI
	$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
	$Users | Set-QADUser -UserMustChangePassword $true
}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MilesLoganAuthor Commented:
A+++ thank you tons Subsun !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.