Remove Active Directory User Accounts Expired Status

Today I came across an issue where one of our clients was not able to get user passwords from expired status. Nearly thousand of their users never login to the on-site company network so don’t ever get the opportunity to change it on site. Since most of the Microsoft products lack the functionality to change it externally – for instance ForeFront products we had to come up with a solution.

When you run the powershell command-let Get-ADUser wo get the properties there is an attribute named -PasswordExpired. Once this attribute is set to “True” you are unable to set it to “False” due to restrictions in Active Directory for security reasons. However there is a way to trick Active Directory by resetting the pwdLastSet atrribute. This attribute is set to the date when the last password change has been executed. This starts a timer which last for the configured period based on your GPO. By resetting the pwdLastSet attribute with this PowerShell script Active Directory will update this attribute with the timestamp the cmd-let has been executed, so it timer starts over again.

This will give the opportunity to your end-users to extend their password expiration term while their off-site. The script is cut in to two steps.

Step 1: Generate a CSV-file with all the AD users and determine their -PasswordExpired status.

Get-ADUser -filter * -properties passwordexpired | sort-object name | select-object Name, passwordexpired | Export-csv -path c:\temp\expired_users.csv -Delimiter “;” -NoTypeInformation

Step 2: Run the PowerShell script to reset te timer of the -pwdLastSet attribute.

Import-CSV -Path c:\temp\expired_users.csv -Delimiter “;” | % {
if ($_.passwordexpired -eq ‘True’)
{
$user = Get-ADUser $_.SamAccountName -properties pwdlastset
$user.pwdlastset = 0

Set-ADUser -Instance $user
$user.pwdlastset = -1

Set-ADUser -instance $user
}
}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s