30.8 C
Dubai
Tuesday, March 19, 2024

Force Expire the password using Change Password at Next Logon

There are so many Scenarios if you wish to force users to change password.

  • Precautionary measure to Secure the accounts after an attack
  • Any Sort of infection found in the network. its always recommended to reset the users password.
  • Mitigating phishing attached if multiple users shared the credentials on an unknown link.

To Set Change Password at next logon for a Specific Organizational Unit (OU) using PowerShell

Get-ADUser -Filter * -SearchBase "OU=0000-000,OU=01 Users,DC=adp,DC=ae" -Properties * | Set-ADUser -ChangePasswordAtLogon $true –Verbose

image

To Skip the users who changed the password in the last two days . Use the Current day and the last day.

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{($_
.PasswordLastSet -notlike "10/24/2018*") -and ($_.PasswordLastSet -notlike "10/25/2018*")}

image

To Skip the users who changed the password in the last two days . Use the Current day and the last day. also skipping the users who have password at next logon already checked

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{($_ .PasswordLastSet -notlike "10/24/2018*") -and ($_.PasswordLastSet -notlike "10/25/2018*") -and ($_.pwdlastset -notlike "0")}

Note : If Password next logon is checked – pwdlastset will be set to “0”

image

To Skip the users who changed the password in the last two days . Use the Current day and the last day. also skipping the users who have password at next logon already checked

Also skipping the users where password never expires is checked.

Note : We cannot apply Changed Password at next logon on Accounts where password never expires is set to true

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{($_ .PasswordLastSet -notlike "10/24/2018*") -and ($_.PasswordLastSet -notlike "10/25/2018*") -and ($_.pwdlastset -notlike "0") -and ($_.passwordneverexpires –notlike "$true") }

image

To List Users where Password Never Expires is Checked on a Specific Organizational Unit

Get-ADUser -Filter * -SearchBase "OU DISTINGUISHED NAME" -Properties * | Where-Object{$_.passwordneverexpires –like "$true"}

image

Finding Distinguishedname for an OU using Active Directory Users and Computers

image

image

Satheshwaran Manoharan
Satheshwaran Manoharanhttps://www.azure365pro.com
Award-winning Technology Leader with a wealth of experience running large teams and diversified industry exposure in cloud computing. From shipping lines to rolling stocks.In-depth expertise in driving cloud adoption strategies and modernizing systems to cloud native. Specialized in Microsoft Cloud, DevOps, and Microsoft 365 Stack and conducted numerous successful projects worldwide. Also, Acting as a Technical Advisor for various start-ups.

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

× How can I help you?