Link to home
Start Free TrialLog in
Avatar of tabush
tabush

asked on

Powershell Script to change AD attribute pwlastset - (ET)

Can someone help me write a powershell that does the following?
I want to change pwdlastset active directory attribute on a specified OU

If password age is greater than 175 days then:
- Change pwdlastset to 0 and commit that to AD
- Change pwdlastset to -1 and commit that to AD
*skip if user account is set to pw never expire.

I'm putting a new 180 day password policy in place and i dont want it to force an immediate password expiration on people who's password is older than 180 days. I'm using a tool that will notify them in the last 10 days of expiration but if it expires right away this tool wont help.
Avatar of oBdA
oBdA
If you don't want an immediate expiration, you can't set pwdLastSet to 0, because that sets the password last set time to "Never", which is as old as it gets.
This is in test mode and will only display the users it would change; remove the -WhatIf in line 6 to run it for real:
$pwdLastSet = -1	## -1: Now; 0: Never
$filterDate = (Get-Date).AddDays(-175)
$searchBase = 'OU=Test,OU=Some OU,DC=domain,DC=com'
Get-ADUser -Filter * -Properties PasswordNeverExpires, pwdLastSet -SearchBase $searchBase |
	Select-Object -Property *, @{n='PasswordLastSet'; e={[datetime]::FromFileTime($_.pwdLastSet)}} |
	Where-Object {(-not $_.PasswordNeverExpires) -and ($_.PasswordLastSet -lt $filterDate)} |
	ForEach-Object {Set-ADUser -Identity $_.DistinguishedName -Replace @{pwdLastSet=$pwdLastSet} -WhatIf}

Open in new window

Avatar of tabush
tabush

ASKER

Setting to 0 sets it to never but also enables the "force pw change at next login"
Only option i found around that is setting to 0 then to -1 which set's the pwlastset to todays date.
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of tabush
tabush

ASKER

Looks like it ran against one user but it didnt actually change the pwdlastset value. See screenshots

User generated image
User generated image
Avatar of oBdA
oBdA
Again, and like the "What if:" in the output suggests: it's in test mode; you'll need to remove the two "-WhatIf"s in lines 6 and 7 to run it for real.
Avatar of tabush
tabush

ASKER

Sorry my mistake. I didnt read it carefully.
Avatar of tabush
tabush

ASKER

Thanks this is exactly what i was looking for.