Ran into an interesting situation where pretty much all domain accounts did not follow the default password policy and had the option of ‘password never expires’ checked. I needed to fix this immediately without impacting the users and expiring any accounts that may affect the business.
I needed to adjust the password age for all domain accounts so that they follow the password aging policy. Typically a password age policy is upto 90 days. Powershell to the rescue:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
Import-Module ActiveDirectory $list= Get-ADUser -SearchBase "DC=yourdomain,DC=local" -Properties samaccountname -Filter * foreach ($entry in $list) { $sam = $entry.samaccountname $todouser = Get-ADUser $sam -Properties pwdLastSet -Server yourdomaincontroller.local $todouser.pwdLastSet = 0 Set-ADUser -Instance $todouser $todouser.pwdLastSet = -1 Set-ADUser -Instance $todouser } |
So now that all the accounts have a password age of 1 day. Time to uncheck that ‘password never expires’ box. Now for some service and system accounts I wanted them to have password never expires. So now I needed to work with a filtered set.
I grabbed the accounts I wanted and was able to save them in a .CSV file.
change.csv contents:
|
1 2 3 4 |
SamAccountName Aespinoza ahernandez aray |
Now to perform the task on each account:
|
1 |
import-csv C:\ServerCleanup\change.csv | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE} |
Hope this helps if you run into a similar situation.