Expand lifetime of a user's password

Hello,

I wanted to know if it’s possible de expand the lifetime of a user’s password with powershell?

Let me explain: I had a PSO that used to set the max password age for all user to 180 days but everyone had the “password never expire” option set.

Now, i remove the PSO et remove the option from every users.

I need to set half of my users with a PSO of 90 days but now that their password had expired while the last PSO was here, they will be ask to change their password and i dont want this.

I dont know if you understand what i mean with this but to keep it short: can Powershell (and maybe you) help me with modifying such parameter as password life time?

 

Thanks for thoes who will read it!

Hello Noka40,

I’m not sure what you mean by PSO and I’m not sure I understand your question, but if you want to have two groups of users with different password settings you might consider creating two password policies in your Active Directory and have them applied to the correct set of users. That’s not a Powershell solution but it’s flexible and can be applied easily to new accounts as well.

Regards,

Kris.

Hello Kris,

By PSO i mean Active directory password policies.

I just want yo know if with powershell i can expand the life time of a password that had expired.

If you cannot do, what you are after in the ADUC/ADAC GUI, then you cannot do this with PowerShell.

An expire password must be reset, period, no workaround. THis is an ADDS requirement/limitation not a PowerShell one. You can set the expiration date before you do this.

Using the ADAC, to click thru the steps, the ADAC will write the PowerShell code for you, that you can then save and tweak as needed.

Active Directory Administrative Center: Getting Started
https://technet.microsoft.com/en-us/library/dd560651(v=ws.10).aspx

Active Directory Administrative Center
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/active-directory-administrative-center

Step-By-Step: Utilizing PowerShell History Viewer in Windows Server 2012 R2
https://blogs.technet.microsoft.com/canitpro/2015/03/04/step-by-step-utilizing-powershell-history-viewer-in-windows-server-2012-r2

Also, MS and other risk focused orgs (NIST, DoD, DISA, FTC…) have now publicly stated, setting password expiration is not recommended. Though we all know, old habits and beliefs are hard to break.

See:

NIST’s new password rules – what you need to know

Time to rethink mandatory password changes

How to Extend Password Expiry Date in AD
Active directory account passwords expire set (for example, every 90 days) in most of the organizations. Configuring an AD account with Password Never Expires is not recommended due to security. I came across the scenario to extend an active directory account’s current password
Download : How to Extend Password Expiry Date in AD.pdf

Microsoft Recommending Non-Expiring Passwords to Office 365 Customers

@postanote

Hello,

Thank you! That’s what i was searching for. You, man, is a savior!