Set Get-ADUser PasswordLastSet property

Welcome Forums General PowerShell Q&A Set Get-ADUser PasswordLastSet property

This topic contains 2 replies, has 3 voices, and was last updated by

5 years, 1 month ago.

  • Author
  • #14911

    Topics: 5
    Replies: 4
    Points: 0
    Rank: Member

    Hello all,

    I'm trying to create a script that will force specific domain users to have to reset their password earlier than the domain password policy. Unfortunately, due to our environment our Domain functional level is only 2003 so we're unable to use Fine Grain Password policy. The main issue I'm running into is that in an effort to be more polite to the end user rather than just forcing them on a certain day to have to reset their passwords, to change the date on their Password Last Set value so they can have the windows notification pop up for them when they log in as well as an email as a reminder.

    My problem is that I can't seem to modify the date in the property. It looks to be a system.datetime object and when I try what I assume would work...

    Set-ADUser dduck -Replace @{PWDLastSet="((Get-Date).AddDays(-85))"}

    I get an error message : The parameter is incorrect,Microsoft.ActiveDirectory.Management.Commands.SetADUser. Due to that error message I guess that it's not an problem with the date format, but that I'm not using the correct method.

    Any help would be greatly appreciated.

  • #14914

    Topics: 13
    Replies: 4872
    Points: 1,813
    Helping HandTeam Member
    Rank: Community Hero

    Take a look at as a start. The attribute isn't actually a System.DateTime under the hood. In fact, might be better – it explains the underlying data type. You can probably use to figure out what you want to set it to.

  • #14917

    Topics: 0
    Replies: 2
    Points: 1
    Rank: Member

    The PWDLastSet attribute is controlled by the system. You cannot set this with two exceptions, you can set 0 and you can set -1. In order to achieve your requirements of different password expirations, you have essentially 2 options, FGPP and a separate domain. An option which isn't so elegant is to write a script which presents an annoying pop-up window every time they log on but it will do little to enforce this. A better option is to upgrade to Windows 2008 R2 or greater on the domain controllers. Start now and go quickly, you have about one year left of extended support before 2003 goes end of life.

The topic ‘Set Get-ADUser PasswordLastSet property’ is closed to new replies.