none
Set Password expiration date to 27/04/2017 for AD user(via Powershell)

    Question

  • Hi,

    I want to set password expiration date of particular User.

    I have tried to change the pwdlastSet value to 0 & -1 and date has been changed to today's date. So Expiration date is coming on 09/06/2017 because its calculating from Maximum password Age Policy(45 days).

    Requirement: Need to change password expiration date for a particular AD user to date 27/04/2017 through powershell script. So, I need to change pwdlastset value to the respecitive date. 

    GPO Policy: Maximum Password Age is set to 45 days.




    Sugandh




    Tuesday, April 25, 2017 5:55 AM

Answers

  • Hi Wendy,

    Sorry for late reply. Actual requirement is not fulfilled which I can change password expiration to specific date and also customer didn't accept FGPP. So, We went through different non technical approach to remove the password never expire options for users.

    We informed users to change their passwords on a specific date and removed the password never expire option next day itself.


    Sugandh

    Thursday, April 12, 2018 11:21 AM

All replies

  • Hi,
    As far as I know, in AD, Password expiration dates are typically defined by a Domain wide GPO and cannot be overridden. This is a security feature that applies to the whole domain.
    However, In AD DS, there is also a new concept "Fine Grained " Password Policies(FGPP), this would allow you to specify a different password Policy for different Groups/users. In this case, you could apply a new Maximum Password Age setting for this user, then set password expiration date to see if it helps.
    Regarding to deploy FGPP, you could see details from: 
    AD DS: Fine-Grained Password Policies
    https://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx
    Step-by-Step: Enabling and Using Fine-Grained Password Policies in AD
    https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Nedim Mehic Friday, April 28, 2017 9:48 AM
    Friday, April 28, 2017 7:08 AM
    Moderator
  • To add to Wendy's reply, you can only assign 0 and -1 to the pwdLastSet attribute. You cannot assign values that correspond to any arbitrary dates. The only option is a FGPP applied to the a group that defines a maxPwdAge for members of the group.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Proposed as answer by Nedim Mehic Friday, April 28, 2017 9:49 AM
    Friday, April 28, 2017 9:36 AM
  • Hi,

    Was your issue resolved? If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions. If no, please reply and tell us the current situation in order to provide further help.
    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, May 5, 2017 12:22 PM
    Moderator
  • Hi Wendy,

    Sorry for late reply. Actual requirement is not fulfilled which I can change password expiration to specific date and also customer didn't accept FGPP. So, We went through different non technical approach to remove the password never expire options for users.

    We informed users to change their passwords on a specific date and removed the password never expire option next day itself.


    Sugandh

    Thursday, April 12, 2018 11:21 AM