Set account to expire on midnight
Customer requested to force active directory accounts to expire on midnight or in the night and not during the day. So I’ve created following script to do so:
$UserList = Get-ADUser -Filter * -SearchBase "OU=USERS,DC=domain,DC=local" -Properties "DisplayName", "PasswordLastSet" $Today = (Get-Date) $MaxPasswdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge ForEach ($User in $UserList) { $ExpireDate = ($User.PasswordLastSet) + $MaxPasswdAge $DaysToExpire = (New-TimeSpan -Start $Today -End $ExpireDate).Days If ($DaysToExpire -eq 1) { Set-ADUser -Identity $User -ChangePasswordAtLogon $true } } #EOF
This script runs everyday at 23:55.
I found couple examples how to change pwdLastSet attribute on AD user’s object, but I don’t like that. I think this is cleared way to do so.
Have a nice day,
Recent Comments