stealth82
asked on
Force all staff to reset passwords with specific requirements
Hi Experts,
I need a script that will go through AD and force certain staff to change their password.
So hopefully some genius can help on here ;-)
What I need the script to do.
If a user has a staff ID between 100000-500000 and has an email address & they have not changed their password within the past week then make them change password on next login.
Hope someone can help
Thanks
I need a script that will go through AD and force certain staff to change their password.
So hopefully some genius can help on here ;-)
What I need the script to do.
If a user has a staff ID between 100000-500000 and has an email address & they have not changed their password within the past week then make them change password on next login.
Hope someone can help
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks, is there a way to target specific OUs to test first? Also perhaps output to a log file so we can see what was changed?
ASKER
sorry just noticed the -searchbase...!
ASKER
also would be good to have one that would emulate first so that we can verify if all accounts selected are ok to change, then exclude any if required. Appreciate your help ;-)
To list who has an old password:
To force the user to reset their password at next logon:
You would take care of the password complexity with your password policy set in Group Policy. Details on this page:
http://technet.microsoft.com/en-us/library/cc875814.aspx
Details on the filter for the Get-ADUser can be found on this page:
http://technet.microsoft.com/en-us/library/ee617241.aspx
Rory
$Cutoff = $((Get-Date).AddDays(-7).ToFileTimeUtc())
Get-ADUser -filter {(employeeID -ge "100000") -and (employeeID -lt "500000") -and (pwdLastSet -lt $Cutoff) -and (pwdLastSet -ne "0") -and (EmailAddress -like "*")} -Properties DisplayName,EmailAddress,SamAccountName,distinguishedName | Sort-Object EmailAddress | FT DisplayName,EmailAddress,SAMAccountName,distinguishedName
To force the user to reset their password at next logon:
$Cutoff = $((Get-Date).AddDays(-7).ToFileTimeUtc())
Get-ADUser -filter {(employeeID -ge "100000") -and (employeeID -lt "500000") -and (pwdLastSet -lt $Cutoff) -and (pwdLastSet -ne "0") -and (EmailAddress -like "*")} -Properties DisplayName,EmailAddress,SamAccountName,distinguishedName | Set-ADUser -ChangePasswordAtLogon $true
You would take care of the password complexity with your password policy set in Group Policy. Details on this page:
http://technet.microsoft.com/en-us/library/cc875814.aspx
Details on the filter for the Get-ADUser can be found on this page:
http://technet.microsoft.com/en-us/library/ee617241.aspx
Rory
ASKER
thanks Rory.
I need to be able to target OUs though and also exclude various users. Can the above codes also output to a txt or csv file?
I need to be able to target OUs though and also exclude various users. Can the above codes also output to a txt or csv file?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
perfect, can we also exclude disabled users and show OU location?
ASKER
Got it :-)
-and (Enabled -eq $true)
-and (Enabled -eq $true)
Exactly and the distinguishedName that is returned includes the OU.
ASKER
Thanks all, thought it was only fair to allocate becraig a few points for helping first of all.
Glad to have helped.
ASKER