asked on Force all staff to reset passwords with specific requirements
Hi Experts,
I need a script that will go through AD and force certain staff to change their password.
So hopefully some genius can help on here ;-)
What I need the script to do.
If a user has a staff ID between 100000-500000 and has an email address & they have not changed their password within the past week then make them change password on next login.
Hope someone can help
Thanks
I need a script that will go through AD and force certain staff to change their password.
So hopefully some genius can help on here ;-)
What I need the script to do.
If a user has a staff ID between 100000-500000 and has an email address & they have not changed their password within the past week then make them change password on next login.
Hope someone can help
Thanks
PowershellActive DirectoryScripting Languages
Last Comment
Rory Clerkin
ASKER
Staff ID is employee ID
SOLUTION
Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a questionASKER
thanks, is there a way to target specific OUs to test first? Also perhaps output to a log file so we can see what was changed?
ASKER
sorry just noticed the -searchbase...!
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER
also would be good to have one that would emulate first so that we can verify if all accounts selected are ok to change, then exclude any if required. Appreciate your help ;-)
To list who has an old password:
To force the user to reset their password at next logon:
You would take care of the password complexity with your password policy set in Group Policy. Details on this page:
http://technet.microsoft.com/en-us/library/cc875814.aspx
Details on the filter for the Get-ADUser can be found on this page:
http://technet.microsoft.com/en-us/library/ee617241.aspx
Rory
$Cutoff = $((Get-Date).AddDays(-7).ToFileTimeUtc())
Get-ADUser -filter {(employeeID -ge "100000") -and (employeeID -lt "500000") -and (pwdLastSet -lt $Cutoff) -and (pwdLastSet -ne "0") -and (EmailAddress -like "*")} -Properties DisplayName,EmailAddress,SamAccountName,distinguishedName | Sort-Object EmailAddress | FT DisplayName,EmailAddress,SAMAccountName,distinguishedName
To force the user to reset their password at next logon:
$Cutoff = $((Get-Date).AddDays(-7).ToFileTimeUtc())
Get-ADUser -filter {(employeeID -ge "100000") -and (employeeID -lt "500000") -and (pwdLastSet -lt $Cutoff) -and (pwdLastSet -ne "0") -and (EmailAddress -like "*")} -Properties DisplayName,EmailAddress,SamAccountName,distinguishedName | Set-ADUser -ChangePasswordAtLogon $true
You would take care of the password complexity with your password policy set in Group Policy. Details on this page:
http://technet.microsoft.com/en-us/library/cc875814.aspx
Details on the filter for the Get-ADUser can be found on this page:
http://technet.microsoft.com/en-us/library/ee617241.aspx
Rory
ASKER
thanks Rory.
I need to be able to target OUs though and also exclude various users. Can the above codes also output to a txt or csv file?
I need to be able to target OUs though and also exclude various users. Can the above codes also output to a txt or csv file?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
perfect, can we also exclude disabled users and show OU location?
ASKER
Got it :-)
-and (Enabled -eq $true)
-and (Enabled -eq $true)
Exactly and the distinguishedName that is returned includes the OU.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
ASKER
Thanks all, thought it was only fair to allocate becraig a few points for helping first of all.
Glad to have helped.