none
How can I reset date for password change via PowerShell script? RRS feed

  • Question

  • We had a security incident last week and we forced everyone to change their passwords. This affected 3,000 user accounts and we do not want to have to deal with the pain of all the users at once needing to change their passwords. How can I use a CSV file to change the expiration date for a determined set of users so we can space the password changes out over a could of weeks? I am trying to use the following script to test the idea on a single user account but this is not working.

    Set-ADAccountPassword -Identity timetest1 -TimeSpan 10

    I want to make the time frame of the password change seem seamless to the end users so we can move on from incident politely.

    Thursday, March 30, 2017 5:11 PM

Answers

  • You cannot assign a date in the future (or a timespan) when the password will expire. You can only expire the password immediately. You expire a password by either configuring "must change password at next logon" in ADUC, or assign 0 to the pwdLastSet attribute (which is what ADUC does when you configure the setting).

    You could schedule a task, or run a script manually, say every few days or weeks, to expire the passwords of a block of users at a time. Communication with users is advised, as they will not get any usual warning that their password is about to expire.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by Natedgreat Thursday, March 30, 2017 5:23 PM
    Thursday, March 30, 2017 5:20 PM
    Moderator

All replies