Disable Account That Has Had The Password Reset but User Has Not Logged in and Changed Password

Pretty much as it says, if we reset an account, tick the box for the user to change password on Logon and they have not done that in 24 hrs, can we then disable the account again.

Sure, but there is no ChangePasswordOnLogon property in AD Get-ADUser command, but in the Set-ADUser there is?

A little googling found this

http://richardspowershellblog.wordpress.com/2012/02/07/discovering-users-that-must-change-their-password/

Couple of issues:

  1. We have to assume that the last time the account was changed, was when the users account was set to force them to change their password on logon.
  2. Whatever domain controller we are requesting this info from, its information will always be up to a replication cycle out , so any changes to a usr account in the last (say an hour) may not be replicated to the DC you are querying

So with a  bit of tweaking:

 


#
$Today = Get-Date
$Yesterday = $Today.AddDays(-1)
$UsersToDisable = Get-ADUser -Filter {pwdLastSet -eq 0} -properties *
foreach ($item in $UsersToDisable)
{
 if (($item.whenChanged  -le $Today )  -and ($item.whenChanged  -gt $Yesterday ))
 {
  Write-host $item.name "Password reset in last 24 hours" $item.whenChanged  $item.PasswordExpired $item.pwdLastSet
 }
 else
 {
 
 }
   
}

#

So this gives us accounts that have been changed today and have the “Change Account on Logon” checked

If you wanted to modify it to list accounts older than 24 hrs then we have to change the line

if (($item.whenChanged  -le $Today )  -and ($item.whenChanged  -gt $Yesterday ))

to

if ($item.whenChanged  -le $Yesterday)
 

Leave a comment

Your email address will not be published. Required fields are marked *