Tuesday , November 13 2018

Force Expire the password using Change Password at Next Logon

There are so many Scenarios if you wish to force users to change password.

  • Precautionary measure to Secure the accounts after an attack
  • Any Sort of infection found in the network. its always recommended to reset the users password.
  • Mitigating phishing attached if multiple users shared the credentials on an unknown link.

To Set Change Password at next logon for a Specific Organizational Unit (OU) using PowerShell

Get-ADUser -Filter * -SearchBase "OU=0000-000,OU=01 Users,DC=adp,DC=ae" -Properties * | Set-ADUser -ChangePasswordAtLogon $true –Verbose

image

To Skip the users who changed the password in the last two days . Use the Current day and the last day.

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{($_<br>
.PasswordLastSet -notlike "10/24/2018*") -and ($_.PasswordLastSet -notlike "10/25/2018*")}

image

To Skip the users who changed the password in the last two days . Use the Current day and the last day. also skipping the users who have password at next logon already checked

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{($_ .PasswordLastSet -notlike "10/24/2018*") -and ($_.PasswordLastSet -notlike "10/25/2018*") -and ($_.pwdlastset -notlike "0")}

Note : If Password next logon is checked – pwdlastset will be set to “0”

image

To Skip the users who changed the password in the last two days . Use the Current day and the last day. also skipping the users who have password at next logon already checked

Also skipping the users where password never expires is checked.

Note : We cannot apply Changed Password at next logon on Accounts where password never expires is set to true

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{($_ .PasswordLastSet -notlike "10/24/2018*") -and ($_.PasswordLastSet -notlike "10/25/2018*") -and ($_.pwdlastset -notlike "0") -and ($_.passwordneverexpires –notlike "$true") }

image

To List Users where Password Never Expires is Checked on a Specific Organizational Unit

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{$_.passwordneverexpires –like "$true"}

image

Finding Distinguishedname for an OU using Active Directory Users and Computers

image

image

About Satheshwaran Manoharan

Satheshwaran Manoharan is an Microsoft Exchange Server MVP , Publisher of CareExchange.in
Supporting/Deploying/Designing Microsoft Exchange for some years.
Extensive experience on Microsoft Technologies.

Check Also

Anonymous Application relay connectors in Exchange 2016

Lets see how to create an Anonymous Application relay connectors in Exchange 2016. Every Application ...

Leave a Reply

Your email address will not be published.