MilesLogan
asked on
Powershell : Force Password change for group members
Hi EE
We do not have a global password change policy in our domain for various reasons but have then need to force 20k or so users to change their password every 90 days. We currently have a vbs script task that checks for members of a certain group and if they have not change their password in 90 days , it prompts them to change it.
Has anyone set this up with a Powershell script ? so the script checks the members of a group and if they have not changed their password in 90 days , it forces the password change.
We do not have a global password change policy in our domain for various reasons but have then need to force 20k or so users to change their password every 90 days. We currently have a vbs script task that checks for members of a certain group and if they have not change their password in 90 days , it prompts them to change it.
Has anyone set this up with a Powershell script ? so the script checks the members of a group and if they have not changed their password in 90 days , it forces the password change.
ASKER
Thanks Mike .. I wish .. We have a way to go to get to functional level 2008 , still at 2003
Hi,
Check this...
Active Directory Management with PowerShell in Windows Server 2008 R2
https://www.simple-talk.com/content/print.aspx?article=868
Set-ADDefaultDomainPasswor dPolicy
http://technet.microsoft.com/en-us/library/ee617251.aspx
Hope that helps :)
Check this...
Active Directory Management with PowerShell in Windows Server 2008 R2
https://www.simple-talk.com/content/print.aspx?article=868
Set-ADDefaultDomainPasswor
http://technet.microsoft.com/en-us/library/ee617251.aspx
Hope that helps :)
Using password policies are the recommended and flawless option. But If you want to do it using PowerShell you need to schedule script to check the user on daily (or as per your requirement).. With quest AD tools, it's quiet simple..
Try something like..
Try something like..
Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90 | Set-QADUser -UserMustChangePassword $true
ASKER
awesome .. thanks Subsun .. would it be too difficult to add the options below?
-if the account has the "password never expires" flag selected so it un checks it first?
-Script outputs a daily report of the samAccount that was forced to change the pwd?
-if the account has the "password never expires" flag selected so it un checks it first?
-Script outputs a daily report of the samAccount that was forced to change the pwd?
Try...
$Users = Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90 -PasswordNeverExpires:$false
If ($Users -ne $null){
$Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog-$(Get-date -f dd-MM-yyy).csv" -NTI
$Users | Set-QADUser -UserMustChangePassword $true
}
I didn't read..
-if the account has the "password never expires" flag selected so it un checks it first?
Check this...
-if the account has the "password never expires" flag selected so it un checks it first?
Check this...
$Users = Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90
If ($Users -ne $null){
$Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog-$(Get-date -f dd-MM-yyy).csv" -NTI
$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
$Users | Set-QADUser -UserMustChangePassword $true
}
ASKER
Hi Subsun ...
-if the account has the "password never expires" flag selected so it un checks it first?
yes .. it needs to uncheck it first or it wont work .
-if the account has the "password never expires" flag selected so it un checks it first?
yes .. it needs to uncheck it first or it wont work .
Did you check my last code? it should work as expected...
ASKER
Hi Subsun .. It works great but if the password never expires option is checked , it does not uncheck it and forces the password change.. All other options work great !
I tried this and it did not work on accounts that had the option checked ..
$Users = Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90
If ($Users -ne $null){
$Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog -$(Get-dat e -f dd-MM-yyy).csv" -NTI
$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
$Users | Set-QADUser -UserMustChangePassword $true
}
I tried this and it did not work on accounts that had the option checked ..
$Users = Get-QADUser -MemberOf "Your Group" -PasswordNotChangedFor 90
If ($Users -ne $null){
$Users | Select SamAccountName | Export-Csv "C:\Temp\PasswordChangelog
$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
$Users | Set-QADUser -UserMustChangePassword $true
}
Following line should take care of it..
I just tested and it did uncheck the PasswordNeverExpires option..
Can you run the command against one user and see if it works?
$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
I just tested and it did uncheck the PasswordNeverExpires option..
Can you run the command against one user and see if it works?
Get-QADUser UserA | Set-QADUser -PasswordNeverExpires $false
ASKER
hi Subsun ..
This works by itself on one account ..
Get-QADUser UserA | Set-QADUser -PasswordNeverExpires $false
but when in the script ..it does not .. it skips those accounts that have the PasswordNeverExpires option checked ..
$Users = Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90
If ($Users -ne $null){
$Users | Select SamAccountName,Name,lastLo gonTimesta mp,Passwor dLastSet | Export-Csv "e:\Projects\90\PasswordCh angelog-$( Get-date -f dd-MM-yyy).csv" -NTI
$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
$Users | Set-QADUser -UserMustChangePassword $true
}
This works by itself on one account ..
Get-QADUser UserA | Set-QADUser -PasswordNeverExpires $false
but when in the script ..it does not .. it skips those accounts that have the PasswordNeverExpires option checked ..
$Users = Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90
If ($Users -ne $null){
$Users | Select SamAccountName,Name,lastLo
$Users | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
$Users | Set-QADUser -UserMustChangePassword $true
}
Does the PasswordChangelog contains those users?
ASKER
No , the log only contains the users it modified .
That means the following code is not pulling the users who set PasswordNeverExpires as $True
Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90
What you get for..
Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90
What you get for..
Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90 | ?{$_.PasswordNeverExpires -eq $True}
ASKER
Hi SubSun
Correct .. below does not work ..
Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90 | ?{$_.PasswordNeverExpires -eq $True}
Correct .. below does not work ..
Get-QADUser -MemberOf "Test5" -PasswordNotChangedFor 90 | ?{$_.PasswordNeverExpires -eq $True}
Check PasswordLastSet time for the accounts and see if they are 90 days old...
Get-QADUser -MemberOf "Test5" | ?{$_.PasswordNeverExpires -eq $True} | Select Name,PasswordLastSet
ASKER
They are .. these accounts have not changed the pwd since 2008 ...
How about if we disregard the Password age and just set it so that the script checks every account in the group and unchecks the PasswordNeverExpires option if its checked ?
How about if we disregard the Password age and just set it so that the script checks every account in the group and unchecks the PasswordNeverExpires option if its checked ?
ASKER
This does work ..
Get-QADUser -MemberOf "Test5" | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
Get-QADUser -MemberOf "Test5" | ?{$_.PasswordNeverExpires -eq $True} | Set-QADUser -PasswordNeverExpires $false
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
A+++ thank you tons Subsun !
However, is your domain fucntional level at 2008? If so you can use fine grained password policies and have a policy (PSO) apply to just a group. It is not all or nothing like it was in 2003/2000.
Thanks
Mike