Set Get-ADUser PasswordLastSet property

This topic contains 2 replies, has 3 voices, and was last updated by Profile photo of Robert McDonnell Robert McDonnell 2 years, 7 months ago.

  • Author
    Posts
  • #14911
    Profile photo of wenniss
    wenniss
    Participant

    Hello all,

    I'm trying to create a script that will force specific domain users to have to reset their password earlier than the domain password policy. Unfortunately, due to our environment our Domain functional level is only 2003 so we're unable to use Fine Grain Password policy. The main issue I'm running into is that in an effort to be more polite to the end user rather than just forcing them on a certain day to have to reset their passwords, to change the date on their Password Last Set value so they can have the windows notification pop up for them when they log in as well as an email as a reminder.

    My problem is that I can't seem to modify the date in the property. It looks to be a system.datetime object and when I try what I assume would work...


    Set-ADUser dduck -Replace @{PWDLastSet="((Get-Date).AddDays(-85))"}

    I get an error message : The parameter is incorrect,Microsoft.ActiveDirectory.Management.Commands.SetADUser. Due to that error message I guess that it's not an problem with the date format, but that I'm not using the correct method.

    Any help would be greatly appreciated.

  • #14914
    Profile photo of Don Jones
    Don Jones
    Keymaster

    Take a look at http://forums.techarena.in/active-directory/1298966.htm as a start. The attribute isn't actually a System.DateTime under the hood. In fact, http://msdn.microsoft.com/en-us/library/cc220785.aspx might be better – it explains the underlying data type. You can probably use http://chrisnowell.com/information_security_tools/date_converter/Windows_active_directory_date_converter.asp to figure out what you want to set it to.

  • #14917
    Profile photo of Robert McDonnell
    Robert McDonnell
    Participant

    The PWDLastSet attribute is controlled by the system. You cannot set this with two exceptions, you can set 0 and you can set -1. In order to achieve your requirements of different password expirations, you have essentially 2 options, FGPP and a separate domain. An option which isn't so elegant is to write a script which presents an annoying pop-up window every time they log on but it will do little to enforce this. A better option is to upgrade to Windows 2008 R2 or greater on the domain controllers. Start now and go quickly, you have about one year left of extended support before 2003 goes end of life.

You must be logged in to reply to this topic.