Can you reset a users "last date when password changed"

I recently set a FGPP that mandates a password change in 365 days and I wanted to roll it out gradually to large groups BUT most users already have a "Date when last changed password" thats is over the 365 days so once I apply the policy they are forced to change it then. I would like to reset their "Last password reset date to "0" so once the new policy is applied they will have 365 day to change it again.
MCS_ExchangeAsked:
Who is Participating?
 
jss1199Commented:
The powershell below will reset a specific user's paswd last change date.

$User = Get-ADUser user.name -properties pwdlastset 
$User.pwdlastset = 0 
Set-ADUser -Instance $User 
$user.pwdlastset = -1 
Set-ADUser -instance $User

Open in new window


If you assign 0, the password is immediately expired. The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time. They will THEN have 365 days before they must change according to your policy.
0
 
MCS_ExchangeAuthor Commented:
I will ask the team to try this... I have been searching specifically for ANY information on this and your response seems valid and was very fast. Thanks
0
 
jss1199Commented:
More info from MS below.  See additional scripts in the community section at the bottom.

http://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx

And more discussion on this from our friends at Google...

https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/xxrwqGUbttM
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
SandeshdubeySenior Server EngineerCommented:
If you set the maximum password age to zero days password will not expires see this for more details.http://technet.microsoft.com/en-us/magazine/ff741764.aspx

If you change the maximum password age from 600 days to a shorter period such as 360 days, users with passwords that are older than 360 days will instantly be prompted to change a new password. Their passwords expire right away. You can adjust the Maximum Password Age number "slowly" to minimise helpdesk call.

Reference link:http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/8e82e11c-3575-4413-b0dc-1c5e8dadb9d6
0
 
MCS_ExchangeAuthor Commented:
Thanks Sandeshdubey... We thought of increasing the date limit but the actual # of users is so high this would take a lot of administration and then having to go back later to change the policy again so it occurrs every 365 days.

The first solution offered was just tested and worked and also opens the door to set the user back to -1 it seems their is only two options 0 or -1 Our next test is to change the "Last password change" to 335 on a set # of users with a must change date of 365 and see if this allows them 30 days to change.
0
 
jss1199Commented:
MCS_Exchange,

For your next test, changing 365 days to 335 will not necessarily allow 30 days to change.  This is all dependent on the date the last password was changed.  For you test user, you can use the below to determine the actual date the system shows his last change date:

Import-Module ActiveDirectory
Get-ADUser 'UserName' -properties PasswordLastSet | Format-List

This date, along with the password age you specify, will allow you to dtermine if they will be forced to change passwords when you change the setting to x
0
 
MCS_ExchangeAuthor Commented:
The team customized their script and this was an excellent solution. I had spent a lot of time searching prior and your google pages were also helpful.

This has been a great help
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.