How Can I Cause a User’s Password to Expire?

How Can I Cause a User’s Password to Expire?

  • Comments 12
  • Likes
Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I cause a user’s password to expire?

-- GB

SpacerHey, Scripting Guy! AnswerScript Center

Hey, GB. You know, one thing people dislike about politicians is that any time you ask them a question many politicians will give you an answer to a different question. Even worse, if you press them on that point they’ll tell you that there’s a good reason why they did that: after all, it’s for your own good.

What does that have to do with the Hey, Scripting Guy! column? Well, instead of answering the question you asked, we’re going to answer a different question. But don’t worry: it’s for your own good.

So why is this for your own good? Well, we’re assuming there’s only one reason why you’d want to expire a user’s password: you want the user to have to change that password the next time they log on. You wouldn’t expire a password in order to prevent a user from logging on; if you don’t want a user logging on then you should disable or delete the user account. We want to force a user to change their password the next time they log on, and there’s an easier way to do that than by changing the password expiration date. All you have to do is run this little script instead:

Set objUser = GetObject("LDAP://CN=myerken,OU=Finance,DC=Fabrikam,DC=com")

objUser.pwdLastSet = 0
objUser.SetInfo

That’s right: there really isn’t much to it, is there? We begin by binding to the user account in Active Directory; that’s what this line of code is for:

Set objUser = GetObject("LDAP://CN=myerken,OU=Finance,DC=Fabrikam,DC=com")

Having done that, we then set the value of the pwdLastSet attribute to 0. pwdLastSet is an attribute that stores the date and time that the password for a given account was last set. If pwdLastSet is equal to 0 the user will have no choice but to change their password the next time they log on. In other words, without having to mess around with dates and times we’ve essentially “expired” their password: their current password will have to be changed the next time they log on. We set pwdLastSet to 0, then call the SetInfo method to write the change back to Active Directory.

Incidentally, you can do the same sort of thing with local user accounts using a script like this:

strComputer = "atl-win2k-01"
Set objUser = GetObject("WinNT://" & strComputer & "/kenmyer")

objUser.PasswordExpired = 1
objUser.SetInfo

In this script, we bind to the Ken Myer account on the computer atl-win2k-01 and then set the value of the PasswordExpired attribute to 1. We call the SetInfo method and, voilà: the next time Ken Myer logs on to this computer he’ll have to change his password.

So there you have it: we answered a question, even though it might not have been the exact question we were asked. Hopefully this will help: the last time we tried giving answers that didn’t match the questions was on our SAT test. That one didn’t work out too well.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • How do I actually set it to a date or number of days before expiration?

  • Nope... not what I need to do.

    I want to test our VPN's ability to allow password management... and I can't wait until the password expires on the account I'm using and I don't want to build an OU and GPO, etc. or can't because I'm not in the AD group.  

  • Great script.  Can you answer Andrea's question?  Also, how do I implement a loop to get all the users in a certain OU and set the value for pwdLastSet?  Please let me know.  Thank you.

  • An answer to the original question would have been more helpful here....

  • We need to test our GP behavior when passwords are expiring so for testing purposes it would help to have the answer to the original question.

  • Usually,there is great information here.

    This is answer missed the point. We can read the standard documentation about 0 or 1 in this field.

    We need some way to manipulate the expiration date, generally, for *testing* purposes.

    ...jlg

  • It fails for me :

    PS C:\Windows\system32> Set objUser = GetObject("LDAP://CN=Max Allan,OU=Users,DC=domain,DC=local")

    Set-Variable : A positional parameter cannot be found that accepts argument 'GetObject'.

    At line:1 char:1

    + Set objUser = GetObject("LDAP://CN=Max Allan,OU=Users,DC=domain,DC=local")

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       + CategoryInfo          : InvalidArgument: (:) [Set-Variable], ParameterBindingException

       + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetVariableCommand

    What am I missing?

    (Sorry I am a newb at powershell)

  • Max Allan: This is Visual Basic Script, not PowerShell. Paste it into a VBS file, and it should do the trick. Provided you updated the distinguished name for the user in question.

  • So there's plenty of reasons to want to set a password to expire for security testing. It'd be nice to know how to modify the password expiration date.

  • thank you

  • I see a number of people that have posted asking the question. You CANNOT change the account password expiration value to anything but 0 or -1. I wanted to change the date to a specific date. AD will not allow anyone but the system to change the value to something other than 0 or -1.

  • replace the OU in first line with CN, the script is running fine



    Set objUser = GetObject("LDAP://CN=myerken,CN=Finance,DC=Fabrikam,DC=com")

    objUser.pwdLastSet = 0
    objUser.SetInfo