Change the password age in bulk for Active Directory accounts

Ran into an interesting situation where pretty much all domain accounts did not follow the default password policy and had the option of ‘password never expires’ checked. I needed to fix this immediately without impacting the users and expiring any accounts that may affect the business.

I needed to adjust the password age for all domain accounts so that they follow the password aging policy. Typically a password age policy is upto 90 days. Powershell to the rescue:

Import-Module ActiveDirectory

$list= Get-ADUser -SearchBase "DC=yourdomain,DC=local" -Properties samaccountname -Filter *
foreach ($entry in $list) {
	$sam = $entry.samaccountname 
 
	$todouser = Get-ADUser $sam -Properties pwdLastSet -Server yourdomaincontroller.local
     
	$todouser.pwdLastSet = 0 
	Set-ADUser -Instance $todouser 
     
	$todouser.pwdLastSet = -1 
	Set-ADUser -Instance $todouser 
}

So now that all the accounts have a password age of 1 day. Time to uncheck that ‘password never expires’ box. Now for some service and system accounts I wanted them to have password never expires. So now I needed to work with a filtered set.

I grabbed the accounts I wanted and was able to save them in a .CSV file.

change.csv contents:

SamAccountName
Aespinoza
ahernandez
aray

Now to perform the task on each account:

import-csv C:\ServerCleanup\change.csv | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE}

Hope this helps if you run into a similar situation.