Set AD user passwords to expire after 2 days

---

Hi All, I was wondering if you can help with a script which will expire all users in Active Directory passwords in 2 days?

Thanks

@Waqkas-Ahmed ,

I hope all is well.

This will give you the basic information to do what you are looking for, and a bit more if you want, BUT... you will have to read the post AND go through the script to see how it works and adapt it to your specific needs.

https://thesysadminchannel.com/powershell-script-check-password-expirations-in-active-directory/

Good Luck !!!

Cheers,

Adam

@Adam-Gordon Thanks for the response. I've had a look at the script and it dosen't really show how I can force expire user passwords in a few days in AD?

Thanks

@Waqkas-Ahmed ,

Is there a need to use PowerShell? My first thought was why not use Group Policy?

The default domain policy is where we configure the password settings for the domain. You would simply set the "Maximum password age" to 2 days.

Also, I don't believe you can modify a GPO setting (except registry preferences) using PowerShell. You can perform GPO administrative tasks, like create a policy, remove a policy, backup a policy, etc., but not configure a policy setting. You can retrieve the current value for Maxpassword age using PowerShell with
(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

Here are the available PowerShell cmdlets for working with Group Policy.

https://docs.microsoft.com/en-us/powershell/module/grouppolicy/?view=win10-ps

Notice the limited Set-* cmdlets

Hope this helps.

@Mike-Rodrick Thanks for the reply.

Was looking to expire everyone one's password's so they get a reminder to change in the next two days. This is just a one time thing reason why not changing the group policy settings.

There is a already a script in place to send out reminders to users for when their password are due to expire in 4 days. Just need to force expire with a two day reminder

@Waqkas-Ahmed ,

Maybe you could combine something like this with your existing reminder script.

$users = get-aduser -filter * -SearchBase "OU=Production,OU=Employees,DC=ITPROTVDEMO,DC=COM" -properties accountExpirationDate

$now = Get-Date
$expire = $now.AddDays(3)

foreach($user in $users){
    Set-ADUser -Identity $user -AccountExpirationDate $expire
}

This would set the expiration date on the selected accounts to two days from the current date. You could change $now to be a specific date instead of the current date if you wanted to expire the accounts two days from a specific date. The adddays(3) looks odd, but in my experimentation it seems to need an extra day to get the intended results.

@Waqkas-Ahmed ,

Another script you might find useful

$now = Get-Date

$users = get-aduser -filter * -SearchBase "OU=Production,OU=Employees,DC=ITPROTVDEMO,DC=COM" -properties passwordlastset

foreach($user in $users){
    $last = $user.PasswordLastSet
    $diff = New-TimeSpan -Start $last -End $now
    if($diff.Days -gt 2){
        Set-ADUser -Identity $user -ChangePasswordAtLogon $true
    }
}

This will check to see if a user has changed their password in the last two days. If not, it will force them to change their password at next logon.

@Waqkas-Ahmed ,

Sorry, my first script is expiring the account, not what you wanted.