Avatar of stealth82
stealth82
Flag for United States of America asked on

Force all staff to reset passwords with specific requirements

Hi Experts,

I need a script that will go through AD and force certain staff to change their password.

So hopefully some genius can help on here ;-)

What I need the script to do.

If a user has a staff ID between 100000-500000 and has an email address & they have not changed their password within the past week then make them change password on next login.

Hope someone can help

Thanks
PowershellActive DirectoryScripting Languages

Avatar of undefined
Last Comment
Rory Clerkin

8/22/2022 - Mon
stealth82

ASKER
Staff ID is employee ID
SOLUTION
becraig

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
stealth82

ASKER
thanks, is there a way to target specific OUs to test first? Also perhaps output to a log file so we can see what was changed?
stealth82

ASKER
sorry just noticed the -searchbase...!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
stealth82

ASKER
also would be good to have one that would emulate first so that we can verify if all accounts selected are ok to change, then exclude any if required. Appreciate your help ;-)
Rory Clerkin

To list who has an old password:
$Cutoff = $((Get-Date).AddDays(-7).ToFileTimeUtc())
Get-ADUser -filter {(employeeID -ge "100000") -and (employeeID -lt "500000") -and (pwdLastSet -lt $Cutoff) -and (pwdLastSet -ne "0") -and (EmailAddress -like "*")} -Properties DisplayName,EmailAddress,SamAccountName,distinguishedName | Sort-Object EmailAddress | FT DisplayName,EmailAddress,SAMAccountName,distinguishedName

Open in new window


To force the user to reset their password at next logon:
$Cutoff = $((Get-Date).AddDays(-7).ToFileTimeUtc())
Get-ADUser -filter {(employeeID -ge "100000") -and (employeeID -lt "500000") -and (pwdLastSet -lt $Cutoff) -and (pwdLastSet -ne "0") -and (EmailAddress -like "*")} -Properties DisplayName,EmailAddress,SamAccountName,distinguishedName | Set-ADUser -ChangePasswordAtLogon $true

Open in new window



You would take care of the password complexity with your password policy set in Group Policy. Details on this page:
http://technet.microsoft.com/en-us/library/cc875814.aspx

Details on the filter for the Get-ADUser can be found on this page:
http://technet.microsoft.com/en-us/library/ee617241.aspx

Rory
stealth82

ASKER
thanks Rory.

I need to be able to target OUs though and also exclude various users. Can the above codes also output to a txt or csv file?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
stealth82

ASKER
perfect, can we also exclude disabled users and show OU location?
stealth82

ASKER
Got it :-)

 -and (Enabled -eq $true)
Rory Clerkin

Exactly and the distinguishedName that is returned includes the OU.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
stealth82

ASKER
Thanks all, thought it was only fair to allocate becraig a few points for helping first of all.
Rory Clerkin

Glad to have helped.