Solved

Can you reset a users "last date when password changed"

Posted on 2013-12-05
7
1,944 Views
Last Modified: 2013-12-06
I recently set a FGPP that mandates a password change in 365 days and I wanted to roll it out gradually to large groups BUT most users already have a "Date when last changed password" thats is over the 365 days so once I apply the policy they are forced to change it then. I would like to reset their "Last password reset date to "0" so once the new policy is applied they will have 365 day to change it again.
0
Comment
Question by:MCS_Exchange
  • 3
  • 3
7 Comments
 
LVL 19

Accepted Solution

by:
jss1199 earned 500 total points
Comment Utility
The powershell below will reset a specific user's paswd last change date.

$User = Get-ADUser user.name -properties pwdlastset 
$User.pwdlastset = 0 
Set-ADUser -Instance $User 
$user.pwdlastset = -1 
Set-ADUser -instance $User

Open in new window


If you assign 0, the password is immediately expired. The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time. They will THEN have 365 days before they must change according to your policy.
0
 

Author Comment

by:MCS_Exchange
Comment Utility
I will ask the team to try this... I have been searching specifically for ANY information on this and your response seems valid and was very fast. Thanks
0
 
LVL 19

Expert Comment

by:jss1199
Comment Utility
More info from MS below.  See additional scripts in the community section at the bottom.

http://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx

And more discussion on this from our friends at Google...

https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/xxrwqGUbttM
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
If you set the maximum password age to zero days password will not expires see this for more details.http://technet.microsoft.com/en-us/magazine/ff741764.aspx

If you change the maximum password age from 600 days to a shorter period such as 360 days, users with passwords that are older than 360 days will instantly be prompted to change a new password. Their passwords expire right away. You can adjust the Maximum Password Age number "slowly" to minimise helpdesk call.

Reference link:http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/8e82e11c-3575-4413-b0dc-1c5e8dadb9d6
0
 

Author Comment

by:MCS_Exchange
Comment Utility
Thanks Sandeshdubey... We thought of increasing the date limit but the actual # of users is so high this would take a lot of administration and then having to go back later to change the policy again so it occurrs every 365 days.

The first solution offered was just tested and worked and also opens the door to set the user back to -1 it seems their is only two options 0 or -1 Our next test is to change the "Last password change" to 335 on a set # of users with a must change date of 365 and see if this allows them 30 days to change.
0
 
LVL 19

Expert Comment

by:jss1199
Comment Utility
MCS_Exchange,

For your next test, changing 365 days to 335 will not necessarily allow 30 days to change.  This is all dependent on the date the last password was changed.  For you test user, you can use the below to determine the actual date the system shows his last change date:

Import-Module ActiveDirectory
Get-ADUser 'UserName' -properties PasswordLastSet | Format-List

This date, along with the password age you specify, will allow you to dtermine if they will be forced to change passwords when you change the setting to x
0
 

Author Closing Comment

by:MCS_Exchange
Comment Utility
The team customized their script and this was an excellent solution. I had spent a lot of time searching prior and your google pages were also helpful.

This has been a great help
0

Featured Post

Integrate social media with email signatures

Is your company active on social media? Do you also use email signatures? Including social media icons in your email signature is a great way to get fans for free. Let all your email users know you’re on social media quickly and easily, in a single click.

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now