[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Can you reset a users "last date when password changed"

Posted on 2013-12-05
7
Medium Priority
?
3,168 Views
Last Modified: 2013-12-06
I recently set a FGPP that mandates a password change in 365 days and I wanted to roll it out gradually to large groups BUT most users already have a "Date when last changed password" thats is over the 365 days so once I apply the policy they are forced to change it then. I would like to reset their "Last password reset date to "0" so once the new policy is applied they will have 365 day to change it again.
0
Comment
Question by:MCS_Exchange
  • 3
  • 3
7 Comments
 
LVL 19

Accepted Solution

by:
jss1199 earned 2000 total points
ID: 39699291
The powershell below will reset a specific user's paswd last change date.

$User = Get-ADUser user.name -properties pwdlastset 
$User.pwdlastset = 0 
Set-ADUser -Instance $User 
$user.pwdlastset = -1 
Set-ADUser -instance $User

Open in new window


If you assign 0, the password is immediately expired. The value -1 corresponds to the largest integer allowed in a 64-bit attribute, 2^63-1. This value does the reverse of 0. It makes the password not expired. When the user next logs on, the pwdLastSet attribute will be set by the system to the value corresponding to the current date/time. They will THEN have 365 days before they must change according to your policy.
0
 

Author Comment

by:MCS_Exchange
ID: 39699377
I will ask the team to try this... I have been searching specifically for ANY information on this and your response seems valid and was very fast. Thanks
0
 
LVL 19

Expert Comment

by:jss1199
ID: 39699407
More info from MS below.  See additional scripts in the community section at the bottom.

http://msdn.microsoft.com/en-us/library/ms679430(v=vs.85).aspx

And more discussion on this from our friends at Google...

https://groups.google.com/forum/#!topic/microsoft.public.windows.server.active_directory/xxrwqGUbttM
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39700220
If you set the maximum password age to zero days password will not expires see this for more details.http://technet.microsoft.com/en-us/magazine/ff741764.aspx

If you change the maximum password age from 600 days to a shorter period such as 360 days, users with passwords that are older than 360 days will instantly be prompted to change a new password. Their passwords expire right away. You can adjust the Maximum Password Age number "slowly" to minimise helpdesk call.

Reference link:http://social.technet.microsoft.com/Forums/eu/winserverDS/thread/8e82e11c-3575-4413-b0dc-1c5e8dadb9d6
0
 

Author Comment

by:MCS_Exchange
ID: 39700830
Thanks Sandeshdubey... We thought of increasing the date limit but the actual # of users is so high this would take a lot of administration and then having to go back later to change the policy again so it occurrs every 365 days.

The first solution offered was just tested and worked and also opens the door to set the user back to -1 it seems their is only two options 0 or -1 Our next test is to change the "Last password change" to 335 on a set # of users with a must change date of 365 and see if this allows them 30 days to change.
0
 
LVL 19

Expert Comment

by:jss1199
ID: 39700977
MCS_Exchange,

For your next test, changing 365 days to 335 will not necessarily allow 30 days to change.  This is all dependent on the date the last password was changed.  For you test user, you can use the below to determine the actual date the system shows his last change date:

Import-Module ActiveDirectory
Get-ADUser 'UserName' -properties PasswordLastSet | Format-List

This date, along with the password age you specify, will allow you to dtermine if they will be forced to change passwords when you change the setting to x
0
 

Author Closing Comment

by:MCS_Exchange
ID: 39700995
The team customized their script and this was an excellent solution. I had spent a lot of time searching prior and your google pages were also helpful.

This has been a great help
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question