locked
Determine When Users Have Changed Their BPOS-S Password - All Users Must Change BEFORE BPOS Transition RRS feed

  • General discussion

  • As your BPOS company comes closer to being Transitioned into Office 365, each online company administrator must verify that each of their users have changed their passwords, in order to synchronize these passwords into Office 365. Doing this will assure that once the company is transitioned, the users will use the same password in the new Office 365 environment.

    To help Online Administrators, they should first download the latest Microsoft Mailbox Transporter Tool, which includes updated PowerShell scripts, which can be used to query (Get-MSOnlineUser) BPOS-S for user password changes, allowing you to determine which users have not changed their password. You can then reach out to them and ask for them to change OR you can use the Set-MSOnlineUser command to set a password for them, which will then be synchronized into Office 365!

    Resources:

    1. Download the latest Microsoft Transporter Suite Tool: http://www.microsoft.com/download/en/details.aspx?displayLang=en&id=5015
    2. Learn more about the updated Get-MSOnlineUser and Set-MSOnlineUser: http://www.microsoft.com/online/help/en-us/helphowto/337f0b2d-facf-4e2d-8d4c-58ae5bab80c9.htm
    Note - You cannot simply upgrade your existing Microsoft Online Mail Migration Tool, you will need to uninstall, reboot and install the new updated Mail Migration Tool.  To learn more, please click here:  http://social.technet.microsoft.com/Forums/en-US/bpostransition/thread/312cdddf-d20a-404b-8f1f-275f52cd75cd
    • Changed type Ryanph [MSFT] Thursday, January 12, 2012 7:48 PM
    • Edited by Ryanph [MSFT] Thursday, February 2, 2012 12:12 AM update regarding change in steps
    Thursday, January 12, 2012 5:39 PM

All replies

  • Hello Ryanph,

     

    Thanks for this information. I am however, having problems getting it to work, even after updating our copy of the Microsoft Transporter Suite Tool. I'm am getting this error:

     

    Set-MSOnlineUserPassword : Cannot validate argument on parameter 'Password'. Th
    e argument is null or empty. Supply an argument that is not null or empty and t
    hen try the command again.
    At line:1 char:121
    + Get-MSOnlineUser -Credential $Cred -enabled | where {$_.PasswordLastSetDate
    -lt "12/1/2011"} | Set-MSOnlineUserPassword <<<< -Credential $Cred -ChangePass
    wordOnNextLogon $true
    + CategoryInfo : InvalidData: (Microsoft.Excha...osoftOnlineUser:
    PSObject) [Set-MSOnlineUserPassword], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Excha
    nge.Transporter.PSI.SetXsMicrosoftOnlineUserPassword

     

    I have successfully ran $Cred = Get-Credential first, it prompted me for my admin credentials which I provided. But after running the 2nd line of your example above, I recieve that error.

     

    Any ideas?

     

    Thank you,

    Ted

    Tuesday, January 24, 2012 8:56 PM
  • Sorry Ted, I completely forgot the -Password command :-)  So once you issue a -Set-MSOnlineUserPassword you must use the -Password command which sets the user's password to something.  Using the additional -ChangePasswordOnNextLogon $True, this obviously forces the user to change it before they can login.  You could leave the past part off and just tell all the users their password is "xxx" and since the password was set, it WILL be synchronized into Office 365 and be ready for use for these users.  of course if they change it to something else, that password will be synchronized into 365 and be used post-transition.  Up to you on how you want to use this....sorry about the missing piece :-)


    Example for determining which users have not changed their BPOS-S password since December 1, 2011.  You can use this example PowerShell script once you updated your Microsoft Online Transporter Suite and can modify either the date range or any of the other conditions/parameters to meet your needs:

    Find All Users Who Have Not Changed Passwords Since 12/1/2011 and Change Password to "P@ssw0rd1" and Force to Change at Next Logon

    $Cred = Get-Credentials [enter your BPOS Administrator account credentials]

    Get-MSOnlineUser  -Credential $Cred -enabled | where {$_.PasswordLastSetDate –lt “12/1/2011”} | Set-MSOnlineUserPassword -Password "P@ssw0rd1" –Credential $Cred –ChangePasswordOnNextLogon $true



    The above will query the BPOS Microsoft Online Directory Services (MSODS) for users who have NOT changed their password since December 1st, 2011.  Anyone in this PowerShell (in-memory) list will then be piped to the Set-MSOnlineUserPassword and change these users passwords to "P@ssw0rd1" and instruct MSODS to force the user to change their password during their next login.  Of course you will need to tell these users that their password has changed to P@ssw0rd1, as they will need this to change their password!

    Note - If you want to run the following, it will give you the list, and then you can run the full command to set the password for these users.  This way you will have a list of people that you need to contact with their new password:



    GET LIST OF USERS WHO HAVE NOT CHANGED THEIR PASSWORDS SINCE DECEMBER 1, 2011

    $Cred = Get-Credentials [enter your BPOS Administrator account credentials]

    Get-MSOnlineUser  -Credential $Cred -enabled | where {$_.PasswordLastSetDate –lt “12/1/2011”}  | FL Identity

     

    Note - In order to use the above updated Get-MSOnlineUser cmdlets you must upgrade your BPOS Mail Migration machine to use the latest Migration Tool.  If you have downloaded and attempted to update/upgrade your older Migration Tool application, you may find errors when issuing the Get-MSOnlineUser command.  Please refer to the following post, which explains how to resolve this issue:  http://social.technet.microsoft.com/Forums/en-US/bpostransition/thread/312cdddf-d20a-404b-8f1f-275f52cd75cd



    HTH


    Transitions Community Lead ...Ryan J. Phillips
    Wednesday, January 25, 2012 12:29 AM
  • Excellent, thanks!  This is the piece I needed.   Process works great.   Appreciate the help.
    Wednesday, January 25, 2012 3:25 PM
  • I am new to powershell and have ran the script above which works perfectly however I receive the following 'there are more result available than are currently displayed. To view them increase the value for the maximum number of results to display'. Can you please provide the code I would use to display all results,

    Thanks

    Wednesday, May 2, 2012 1:20 PM
  • Like this to increase to 500 results.

    Get-MSOnlineUser  -Credential $Cred -ResultSize 500 -enabled | where {$_.PasswordLastSetDate –lt “12/1/2011”}  | FL Identity

    Monday, May 7, 2012 7:39 PM
  • $Cred = Get-Credentials will fail -- the command is Get-Credential
    Monday, June 4, 2012 10:45 PM
  • If I run the following command as you have listed, will this suffice in triggering the Office 365 Migration?

    And what if the user has not logged in yet to change the password before the migration?

    Also, what if I just set the password and set require "ChangePasswordOnNextLogon $false", will this be enough to trigger/complete the migration process without having to login to the new Office 365 portal for my end users?

    Find All Users Who Have Not Changed Passwords Since 12/1/2011 and Change Password to "P@ssw0rd1" and Force to Change at Next Logon

    $Cred = Get-Credential
    Get-MSOnlineUser  -Credential $Cred -enabled | where {$_.PasswordLastSetDate –lt “12/1/2011”} | Set-MSOnlineUserPassword -Password "P@ssw0rd1" –Credential $Cred –ChangePasswordOnNextLogon $true

    Thanks,
    Sal


    "I am not discouraged, because every wrong attempt discarded is another step forward." Thomas Edison

    Thursday, June 7, 2012 8:49 PM
  • Sal,

    As long as the password is modified, whether by the user or by a powershell cmdlet, the password is then synced to O365.

    If a user does not log in prior to the transition, it will not affect anything as long as the password has not expired in O365 (90 days after being set/changed).  If the user doesn't have their BPOS password post-transition, they won't be able to log into the Sign in Client (SIC) and have their Outlook profile automatically redirected to O365.  This will mean you will need to remove the registry keys put in place by the SIC, manually, as well as manually reconfigure the Outlook profile (unless you want to create a NEW profile and redownload all email again).

    Have a great day,

    Dan


    www.insecurityinc.info

    Thursday, June 14, 2012 3:49 PM
  • Is the password change just for users who have passwords that are about to expire? I changed my BPOS password about a month ago and can currently login to Office365 with that password. Is it necessary for me to change my password?

    Thanks,

    John


    John W.

    Tuesday, June 19, 2012 7:43 PM
  • EVERY user needs to change their password once since, basically, January 1st of this year.  They will also need to make sure their passwords don't expire during the transition period so that they can login to the BPOS Sign in client (SIC) at least once post-transition, for the mailbox reconfiguration to point their profile to O365.

    Have a great day,

    Dan


    www.insecurityinc.info

    Tuesday, June 19, 2012 8:08 PM
  • Hi all, I found out an interesting tidbit on using these PowerShell commands and wanted to let everyone know what I found:

    For BPOS administrators who like to use PowerShell, specifically for password management, you may have found that certain PowerShell commands work while others do not.  Specifically there are different parameters that can be used to check for whether a user has changed their Password since xx/xx/xxxx and perform certain tasks, such as setting the password and/or forcing the user to change their password at next logon.

    For example, if you use the following command you will find that the PowerShell command states that the parameter -Password is missing and must be included in order to properly run:

    Failure

    • Get-MSOnlineUser -Identity testuser@domain.com | Set-MSOnlineUserPassword -ChangePasswordOnNextLogon $true

    However if you run the Set-MSOnlineUserPassword separately you CAN use the -ChangePasswordOnNextLogon without needing to use the -Password parameter, thereby not needing to change the password, but instead simply force the user to change the password the next time they login to BPOS Services:

    Success

    So if you simply need to force users to change their password at next logon, use the above PowerShell command against BPOS.  However if need to change the users password in addition to forcing a password change, the Get & Set commands can be used together to perform this task.  Just make sure you use the -Password parameter when performing this particular task.

    Hope this helps clarify what parameters are required and when to use one over another.


    Transitions Community Lead ...Ryan J. Phillips

    Wednesday, August 15, 2012 2:22 AM
  • Thanks again, for all your effort. Its comforting to hear from someone who has already gone through the process.
    Thursday, September 13, 2012 1:49 AM