Mohammed Wasay

Tag: password

  • Set password never to expire for users in a particular domain (Bulk mode)

    Set password never to expire for users in a particular domain (Bulk mode)

    Let me start by saying that I don’t recommend doing this at all.

    Password Never Expires is bad security practice, but there are situations that might require it.

    I had a similar request on how this could be done.

    Setting it for multiple users:

    #Connect of Office365
Import-Module MSOnline
$O365Cred = Get-Credential
$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection
Import-PSSession $O365Session
Connect-MsolService –Credential $O365Cred 

#Get a List of user that belong to the second domain
$SDusers = Get-MsolUser -All -DomainName "yourseconddomain.com"

#Setting the password never to expire
ForEach($SDuser in $SDusers)
{
    Set-MsolUser -UserPrincipalName $SDuser -PasswordNeverExpires $true
}

    Setting it for a single user:

    Get-MSOLUser -UserPrincipalName [email protected] | Select PasswordNeverExpires

     

  • Get PasswordAge for users in a particular domain

    Get PasswordAge for users in a particular domain

    In Office365 if you have more than one domain in a subscription, there are times where you may want to get the password age for users of that domain.

    In my case to check which users are covered and meeting policy and get the users addressed.

    Get-MsolUser -All -DomainName "yourdomainname.com" | select DisplayName, LastPasswordChangeTimeStamp,@{Name=”PasswordAge”;Expression={(Get-Date)-$_.LastPasswordChangeTimeStamp}}

    The output will be similar to:

  • Change the password age in bulk for Active Directory accounts

    Ran into an interesting situation where pretty much all domain accounts did not follow the default password policy and had the option of ‘password never expires’ checked. I needed to fix this immediately without impacting the users and expiring any accounts that may affect the business.

    I needed to adjust the password age for all domain accounts so that they follow the password aging policy. Typically a password age policy is upto 90 days. Powershell to the rescue:

    Import-Module ActiveDirectory

$list= Get-ADUser -SearchBase "DC=yourdomain,DC=local" -Properties samaccountname -Filter *
foreach ($entry in $list) {
	$sam = $entry.samaccountname 
 
	$todouser = Get-ADUser $sam -Properties pwdLastSet -Server yourdomaincontroller.local
     
	$todouser.pwdLastSet = 0 
	Set-ADUser -Instance $todouser 
     
	$todouser.pwdLastSet = -1 
	Set-ADUser -Instance $todouser 
}

    So now that all the accounts have a password age of 1 day. Time to uncheck that ‘password never expires’ box. Now for some service and system accounts I wanted them to have password never expires. So now I needed to work with a filtered set.

    I grabbed the accounts I wanted and was able to save them in a .CSV file.

    change.csv contents:

    SamAccountName
Aespinoza
ahernandez
aray

    Now to perform the task on each account:

    import-csv C:\ServerCleanup\change.csv | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE}

    Hope this helps if you run into a similar situation.

  • Bulk removal of Password Never Expires checkbox in AD

    No one intends this but it is a problem that sooner or later you will be come across in your system administrator career.

    I’ve see this resolved many different ways, but I like to narrow it down to a particular OU. Depending on your case you may want to clean this across the board in AD.

    Here is command prompt to the rescue:

    dsquery user "OU=Microsoft,DC=Redmond,DC=CORP,DC=LOCAL" -limit 4000 | dsmod user -pwdneverexpires no

    I haven’t tried this, but some have said the following works in Powershell:

    For OU:

    Get-ADUser -Filter {(ObjectClass -eq "user")} -SearchBase "OU=Offices,DC=Contoso,DC=com" | Set-ADUser -PasswordNeverExpires:$FALSE

    For AD:

    Get-ADUser -Filter {(ObjectClass -eq "user")} | Set-ADUser -PasswordNeverExpires:$FALSE

  • Remove Password Expiration

    Many customers ask me the question how they can remove password expiration on their Office 365 environment. With the PowerShell command below this can be achieved:

    1. First make sure you have the remote signed execution policy set to true. You can do this by running PowerShell in admin mode and running: Set-ExecutionPolicy RemoteSigned
    2. Next, run the following to authenticate your self and import PowerShell commands to your local session:
      $LiveCred = Get-Credential
      $Session = New-PSSession -ConfigurationName Microsoft.Exchange-ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
      Import-PSSession $Session
    3. Get-MsolUser | Format-Table UserPrincipalName,DisplayName,PasswordNeverExpires