Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can you reset a users "last date when password changed"

Posted on 2013-12-05
7
Medium Priority
?
2,773 Views
Last Modified: 2013-12-06
I recently set a FGPP that mandates a password change in 365 days and I wanted to roll it out gradually to large groups BUT most users already have a "Date when last changed password" thats is over the 365 days so once I apply the policy they are forced to change it then. I would like to reset their "Last password reset date to "0" so once the new policy is applied they will have 365 day to change it again.
0
Comment
Question by:MCS_Exchange
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 19

Accepted Solution

by:
jss1199 earned 2000 total points
ID: 39699291
The powershell below will reset a specific user's paswd last change date.

$User = Get-ADUser user.name -properties pwdlastset 
$User.pwdlastset = 0 
Set-ADUser -Instance $User 
$user.pwdlastset = -1 
Set-ADUser -instance $User

Open in new window


If you assign 0, the password is immediately expired. The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time. They will THEN have 365 days before they must change according to your policy.
0
 

Author Comment

by:MCS_Exchange
ID: 39699377
I will ask the team to try this... I have been searching specifically for ANY information on this and your response seems valid and was very fast. Thanks
0
 
LVL 19

Expert Comment

by:jss1199
ID: 39699407
More info from MS below.  See additional scripts in the community section at the bottom.

http://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx

And more discussion on this from our friends at Google...

https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/xxrwqGUbttM
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39700220
If you set the maximum password age to zero days password will not expires see this for more details.http://technet.microsoft.com/en-us/magazine/ff741764.aspx

If you change the maximum password age from 600 days to a shorter period such as 360 days, users with passwords that are older than 360 days will instantly be prompted to change a new password. Their passwords expire right away. You can adjust the Maximum Password Age number "slowly" to minimise helpdesk call.

Reference link:http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/8e82e11c-3575-4413-b0dc-1c5e8dadb9d6
0
 

Author Comment

by:MCS_Exchange
ID: 39700830
Thanks Sandeshdubey... We thought of increasing the date limit but the actual # of users is so high this would take a lot of administration and then having to go back later to change the policy again so it occurrs every 365 days.

The first solution offered was just tested and worked and also opens the door to set the user back to -1 it seems their is only two options 0 or -1 Our next test is to change the "Last password change" to 335 on a set # of users with a must change date of 365 and see if this allows them 30 days to change.
0
 
LVL 19

Expert Comment

by:jss1199
ID: 39700977
MCS_Exchange,

For your next test, changing 365 days to 335 will not necessarily allow 30 days to change.  This is all dependent on the date the last password was changed.  For you test user, you can use the below to determine the actual date the system shows his last change date:

Import-Module ActiveDirectory
Get-ADUser 'UserName' -properties PasswordLastSet | Format-List

This date, along with the password age you specify, will allow you to dtermine if they will be forced to change passwords when you change the setting to x
0
 

Author Closing Comment

by:MCS_Exchange
ID: 39700995
The team customized their script and this was an excellent solution. I had spent a lot of time searching prior and your google pages were also helpful.

This has been a great help
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question