Mark Minasi's Tech Forum
Sign up Calendar Latest Topics
 
 
 


Reply
  Author   Comment  
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 93
Reply with quote  #1 
Hi All,

We have a number of users where the Password Never Expires is turned on.  These users have not logged into the domain in years  (for example pwdLastSet attribute is set to 10/30/217).  

We want to clean up these accounts.  From my understanding turning off the flag will immediately lock these accounts.   Obviously this should be avoided so what we need to do is give users say 30 days to change their password.   Our group policy prompts users to change their passwords every 6 months. 

I did see research around the net and came across this: 

https://community.spiceworks.com/scripts/show/3906-bulk-modify-ad-password-last-set-date

I'm not sure if this script would apply for me.  If so, what what would I set for the $days variable keeping in mind the 6 month password prompt in GP? 
0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 371
Reply with quote  #2 
Quote:
Originally Posted by meloao

We want to clean up these accounts.  From my understanding turning off the flag will immediately lock these accounts.   Obviously this should be avoided so what we need to do is give users say 30 days to change their password.   Our group policy prompts users to change their passwords every 6 months. 


Hi,

clearing the flag will NOT lock the accounts but the users will be prompted to change their password immediately upon the next logon and authentication attempts that cannot offer password change will fail (NLA in RDP, some webservices etc.)

To give the users a month to change the password, you would need to set pwdLastSet to 5 months ago. In terms of raw data, it would be the value of

(Get-Date).AddMonths(-5).ToFileTime()

which you would have to inject into your user objects. The problem is, you can only assign 0 (never) and -1 (current datetime) to pwdLastSet using the official APIs. So you can do one of two things (not counting 'unofficial' API, i.e. hacking your own AD):
  • you live with those users having 6 months to change their password instead of 30 days
  • you define a fine grained password policy expiring their passwords in 30 days and apply it to those users. you then monitor their password changes and evict them from the group FGPP is tied to as soon as they have changed their respective password

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 93
Reply with quote  #3 
Thanks so much Evgenij!  It seems like the best solution is to create a FGPP. 
0
Pieter

Avatar / Picture

Senior Member
Registered:
Posts: 278
Reply with quote  #4 
Maybe this trick can be of help :
https://blogs.technet.microsoft.com/389thoughts/2016/11/04/how-admins-can-cheat-at-changing-their-password/

__________________
Pieter Demeulemeester
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation:

Easily create a Forum Website with Website Toolbox.