Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

Solved

Script(s) for password policies

Posted on 2016-09-28

1 solution

Medium Priority

43 Views

Last Modified: 2016-10-17

I have a fairly rigid set of rules to play by here and they can't be altered, which sucks of course. We cannot set accounts to expire or lock them out.

What I need to script:

(1)Query AD for users whose passwords are 365 days old against the pwdlastset attribute. I also need to be able to exclude accounts that are set to never expire
(2)Email a report of the number/list
(3)Email users in stages that their password is going to expire
(4)When the day arrives I need to scramble their password

I can generally do these separately fine enough but i would highly appreciate a powershell guru who could whip something up to help with this. I can stumble through this but there is a bit of a time crunch on this.

Any help would greatly help.

Comment

Question by:John Hammerdink

[X]

Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

Help others & share knowledge
Earn cash & points
Learn & ask questions

Join The Community

2 Comments

LVL 40

Accepted Solution

by:Subsun

Subsun earned 2000 total points (awarded by participants)

ID: 418206122016-09-28

Following code will help you to send the list in email.

$File = "C:\Script\Report.csv"
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties Displayname,pwdlastset |
	Select-Object -Property Displayname,@{Name="pwdlastset";E={[datetime]::FromFileTime($_.pwdlastset)}} | 
		?{$_.pwdlastset -le ((Get-Date).Adddays(-365))} | Export-Csv $File -nti

$mail = @{
	From = "Admin@domain.com" 
	To = "Admin@domain.com" 
	Attachments = $File 
	SmtpServer = "mail.domain.com"
	Subject = "Password Expiry List"
}
Send-MailMessage @mail

Open in new window

How to Setup a Password Expiration Notification Email Solution
Ref: https://blogs.technet.microsoft.com/askpfeplat/2015/05/04/how-to-setup-a-password-expiration-notification-email-solution/
Since you dont have password expiry set, you might need to change line (I have not tested this)

$expireson = $passwordsetdate + $maxPasswordAge
To 

$expireson = $passwordsetdate + 365

or

$expireson = $passwordsetdate + (New-TimeSpan -Days 365)

Open in new window

To set password you can use Set-ADAccountPassword

Set-ADAccountPassword –Identity UserA -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "p@ssw0rd" –Force)

Open in new window

LVL 40

Expert Comment

by:Subsun

ID: 418463362016-10-17

Details mentioned in the comment should help. If John Hammerdink doesn't have any further queries, then question can be closed.

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phasing in a Group Policy

Article by: Shaun

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…

Automated object placement using AutoAD

Article by: Shaun

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.

Active Directory

[Webinar] Is Your Active Directory as Secure as You Think?

Video by: Experts Exchange

Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

Mass Updating Active Directory From a Text File

Video by: Kevin

This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.