The password policy, which is enabled by default in Active Directory, sets a maximum age for a user’s password. If the password age exceeds this value, it is considered expired, and the user must change it at the next login.
The administrator can extend the password expiration date when a domain user cannot change their expired password (for example, when a user connects to a corporate network via VPN or RDS) without enabling the Password never expires option for the account.
Use PowerShell to check the expiration date of the user’s password in AD:
Get-ADUser -Identity e.herrmann -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, PasswordNeverExpires, PasswordExpired |Select-Object -Property Name,PasswordLastSet, PasswordNeverExpires, PasswordExpired,@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
In this case, the user’s password has expired( PasswordExpired=True ). The password expiration date is stored in a computed attribute named msDS-UserPasswordExpiryTimeComputed. This attribute’s value is calculated based on the value of the pwdLastSet parameter and the resulting password policy that applies to the user.
Get-ADUser e.herrmann -Properties pwdLastSet | select SamAccountName,@{Name="pwdLastSet";Expression={[datetime]::FromFileTime($_.pwdLastSet)}}
The pwdLastSet attribute contains the date in millisecond format (Windows NT time). However, it can take one of the following special values:
- 0 – reset the
pwdlastsetvalue (means the password was never set) - -1 – reset the user password change date to the current time
To change the value of the user attribute, use the Set-ADUser PowerShell cmdlet. First, you have to set 0 and then -1.
Set-ADUser e.herrmann -Replace @{pwdLastSet='0'}
Set-ADUser e.herrmann -Replace @{pwdLastSet='-1'}
Now let’s check the user’s password change and expiration dates. The password change date has been changed to the current date, and the user’s password expiration date has been extended.
This method of extending user passwords can also be used if you plan to enable a domain password expiration policy after user passwords have been set to never expire or the PasswordNeverExpires option has been enabled. Enabling this policy will force all users to change their passwords simultaneously, potentially disrupting work processes Before applying this policy, extend the password expiration date for all users as instructed.
2 comments
#for one user
import-module activedirectory
#Change my.user with the target user account.
$username = “user.name”
#This command will get the current PwdLastSet value.
$User = Get-ADUser $username -properties pwdlastset
#Display the current password last set date (convert date to human readable):
[datetime]::fromFileTime($user.pwdlastset)
#Change the user’s pwdlastset attribute to 0
$User.pwdlastset = 0
#Apply the changes against the object
Set-ADUser -Instance $User
#Change the user’s pwdlastset attribute to -1
$user.pwdlastset = -1
#Apply the changes against the object
Set-ADUser -instance $User
#Read again the value from AD
$User = Get-ADUser $username -properties pwdlastset
#Current password last set date, it should be displaying today (convert date to human readable):
[datetime]::fromFileTime($user.pwdlastset)
##for all in OU
Import-Module ActiveDirectory
$ADUserParams=@{
‘Searchbase’ = ‘OU=Users,DC=domain,DC=local’
‘Filter’ = ‘*’
‘Properties’ = ‘cn’,’sn’,’givenname’,’displayName’,’mail’,’description’,’UserPrincipalName’, ’employeeNumber’, ‘profilepath’, ‘title’
}
$ADUsers = Get-ADUser @ADUserParams
ForEach ($ADUser in $ADUsers) {
$ADUser = Get-ADUser $ADUser -properties pwdlastset
$ADUser.pwdlastset = 0
Set-ADUser -Instance $ADUser
$ADUser.pwdlastset = -1
Set-ADUser -instance $ADUser
Get-ADUser -Identity $ADUser -Properties PwdLastSet | Select-Object -Property “Name”, @{n=”PwdLastSet”;e={[datetime]::FromFileTime($_.”PwdLastSet”)}}
}