none
activate Password never expires option for accounts whose User must change password at next logon option is disabled RRS feed

  • General discussion

  • A month ago, we forced password change on all users. As you know, when you set “User must change password at next logon” option, you have to disable “Password never expires” option.

    Now, I am beginning to receive warnings that password will expire in a week

    I need to  activate Password never expires option for accounts whose User must change password at next logon option is disabled. That is, if User must change password at next logon = off (which means that user already changed his password according to the new security policies), then Password never expires = on.

    please help me to build a script for this?


    Tuesday, July 22, 2014 2:43 PM

All replies

  • Hi Jamal,

    why use a script for this? If your user's passwords should never expire (not recommended!), use Group Policy for setting an appropriate policy. This would work for future user accounts as well (plus users that need to change their passwords should still be forced to do so).

    Setting the AD property for PasswordNeverExpires is not recommended.

    Anyway, if you want to do this in the commandline against the best practices, read up one these two cmdlets:

    • Get-ADUser
    • Set-ADUser

    It's one line in the console.

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Tuesday, July 22, 2014 2:50 PM
  • You can do this most easily in ADUC by creating a custom query for all disabled accounts.  You can then jus select all results and toggle the switch.,

    YOu can also use: Search-ADAccount

    Search-ADAccount -AccountDisabled -user | Set-AdUser -enabled:$true -AccountExpirationDate:0

    Are you sure you are not trying to "unlock" locked out accounts?


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, July 22, 2014 3:02 PM
    Tuesday, July 22, 2014 2:53 PM
  • Hi,

    All my users are enabled and some of them , we can say 400 out of 500 are already changed their password on the very next day we implemented the policy. The remaining 100 are not changed the password yet

    Now what I need is Enable "Password never Expired " option for those who already changed their password

    and keep "User must change their password at next logon " for those who did not change their password yet

    Please help me

    Tuesday, July 22, 2014 3:21 PM
  • Hi,

    All my users are enabled and some of them , we can say 400 out of 500 are already changed their password on the very next day we implemented the policy. The remaining 100 are not changed the password yet

    Now what I need is Enable "Password never Expired " option for those who already changed their password

    and keep "User must change their password at next logon " for those who did not change their password yet

    Please help me

    I think you need to learn how AD works. You are asking more than one thing.  They are different.  If you set PWD change on login then that cannot be altered by changing th e expiration date.  The expiration date only effects regular passwords.  It does not effect the password must be changed setting.  The password change at login does not effect the password expiration setting.  You seem to have this a bit confused.


    ¯\_(ツ)_/¯

    Tuesday, July 22, 2014 3:29 PM
  • Wht he is asking is how can i determine which users have already changed their password and set them to password never expires.  I could not find the mustchange password setting in get-aduser.  however a simple dsquery/dsget command will work

    dsquery user -limit 0 | dsget user -dn -mustchpwd > mustchpwd.txt

    This will give you a text file with the user dn and yes or no.  The ones showing no have already changed their password.

    You could then use the list of names to set the passsword never expires using get-aduser and set-ad user as recommended above.

    jrussell97

    Tuesday, July 22, 2014 3:59 PM
  • No ned for tricky stuff.  If you want to see who has reset ther password just look for the expired flag.

    get-aduser -filter "PasswordExpired -eq 'False'"

    This returns all users who have reset there passwords.  This is how, along with another value, DSQuery does it.

    Setting 'Must change password' just set the expired flag.


    ¯\_(ツ)_/¯

    Tuesday, July 22, 2014 4:18 PM
  • This method is actually better but still retruns to many items.  If you point it an an OU with users it will be more restrictive.

    get-aduser -LDAPFilter '(pwdLastSet=0)'


    ¯\_(ツ)_/¯


    • Edited by jrv Tuesday, July 22, 2014 4:28 PM
    Tuesday, July 22, 2014 4:27 PM
  • When i check a user that i know is required to change password and one that i know is not required both have password expired set to false.

    Password expired is not the same as mustchange.  Checking the pwdlast set would tell him if it was changed since he set them all to mustchange but he will have to compare the date.

    Tuesday, July 22, 2014 6:28 PM
  • Thanks guys

    dsquery user -limit 0 | dsget user -dn -mustchpwd > mustchpwd.txt really helped me and I fixed the issue

    Thanks


    Thursday, July 24, 2014 12:10 PM
  • Wht he is asking is how can i determine which users have already changed their password and set them to password never expires.  I could not find the mustchange password setting in get-aduser.  however a simple dsquery/dsget command will work

    dsquery user -limit 0 | dsget user -dn -mustchpwd > mustchpwd.txt

    This will give you a text file with the user dn and yes or no.  The ones showing no have already changed their password.

    You could then use the list of names to set the passsword never expires using get-aduser and set-ad user as recommended above.

    jrussell97

    Thanks . dsquery helped me to find users and I fixed the issue using the following




    dsquery user -limit 0 | dsget user -dn -UPN -mustchpwd  >>c:\Users.txt


    get-ADUser -Filter * -Properties UserPrincipalName,passwordneverexpires | FT  UserPrincipalName, passwordneverexpires


    get-content "c:\users.txt" | Set-ADUser -passwordNeverExpires $true

    Thursday, July 24, 2014 12:12 PM