Powershell Script to change AD attribute pwlastset - (ET)

Can someone help me write a powershell that does the following?
I want to change pwdlastset active directory attribute on a specified OU

If password age is greater than 175 days then:
- Change pwdlastset to 0 and commit that to AD
- Change pwdlastset to -1 and commit that to AD
*skip if user account is set to pw never expire.

I'm putting a new 180 day password policy in place and i dont want it to force an immediate password expiration on people who's password is older than 180 days. I'm using a tool that will notify them in the last 10 days of expiration but if it expires right away this tool wont help.
LVL 2
tabushAsked:
Who is Participating?
 
oBdACommented:
As before, in test mode (two lines now, obviously):
$filterDate = (Get-Date).AddDays(-175)
Get-ADUser -Filter * -Properties PasswordNeverExpires, pwdLastSet -SearchBase 'OU=Users_A,OU=Team_A,OU=Delegation,DC=MR1,DC=infra3,DC=svc' |
	Select-Object -Property *, @{n='PasswordLastSet'; e={[datetime]::FromFileTime($_.pwdLastSet)}} |
	Where-Object {(-not $_.PasswordNeverExpires) -and ($_.PasswordLastSet -lt $filterDate)} |
	ForEach-Object {
		Set-ADUser -Identity $_.DistinguishedName -Replace @{pwdLastSet=0} -WhatIf
		Set-ADUser -Identity $_.DistinguishedName -Replace @{pwdLastSet=-1} -WhatIf
	}

Open in new window

0
 
oBdACommented:
If you don't want an immediate expiration, you can't set pwdLastSet to 0, because that sets the password last set time to "Never", which is as old as it gets.
This is in test mode and will only display the users it would change; remove the -WhatIf in line 6 to run it for real:
$pwdLastSet = -1	## -1: Now; 0: Never
$filterDate = (Get-Date).AddDays(-175)
$searchBase = 'OU=Test,OU=Some OU,DC=domain,DC=com'
Get-ADUser -Filter * -Properties PasswordNeverExpires, pwdLastSet -SearchBase $searchBase |
	Select-Object -Property *, @{n='PasswordLastSet'; e={[datetime]::FromFileTime($_.pwdLastSet)}} |
	Where-Object {(-not $_.PasswordNeverExpires) -and ($_.PasswordLastSet -lt $filterDate)} |
	ForEach-Object {Set-ADUser -Identity $_.DistinguishedName -Replace @{pwdLastSet=$pwdLastSet} -WhatIf}

Open in new window

0
 
tabushAuthor Commented:
Setting to 0 sets it to never but also enables the "force pw change at next login"
Only option i found around that is setting to 0 then to -1 which set's the pwlastset to todays date.
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
tabushAuthor Commented:
Looks like it ran against one user but it didnt actually change the pwdlastset value. See screenshots

powershell
AD attribute
0
 
oBdACommented:
Again, and like the "What if:" in the output suggests: it's in test mode; you'll need to remove the two "-WhatIf"s in lines 6 and 7 to run it for real.
0
 
tabushAuthor Commented:
Sorry my mistake. I didnt read it carefully.
0
 
tabushAuthor Commented:
Thanks this is exactly what i was looking for.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.