I wanted to know if it’s possible de expand the lifetime of a user’s password with powershell?
Let me explain: I had a PSO that used to set the max password age for all user to 180 days but everyone had the “password never expire” option set.
Now, i remove the PSO et remove the option from every users.
I need to set half of my users with a PSO of 90 days but now that their password had expired while the last PSO was here, they will be ask to change their password and i dont want this.
I dont know if you understand what i mean with this but to keep it short: can Powershell (and maybe you) help me with modifying such parameter as password life time?
I’m not sure what you mean by PSO and I’m not sure I understand your question, but if you want to have two groups of users with different password settings you might consider creating two password policies in your Active Directory and have them applied to the correct set of users. That’s not a Powershell solution but it’s flexible and can be applied easily to new accounts as well.
If you cannot do, what you are after in the ADUC/ADAC GUI, then you cannot do this with PowerShell.
An expire password must be reset, period, no workaround. THis is an ADDS requirement/limitation not a PowerShell one. You can set the expiration date before you do this.
Using the ADAC, to click thru the steps, the ADAC will write the PowerShell code for you, that you can then save and tweak as needed.
Also, MS and other risk focused orgs (NIST, DoD, DISA, FTC…) have now publicly stated, setting password expiration is not recommended. Though we all know, old habits and beliefs are hard to break.
How to Extend Password Expiry Date in AD
Active directory account passwords expire set (for example, every 90 days) in most of the organizations. Configuring an AD account with Password Never Expires is not recommended due to security. I came across the scenario to extend an active directory account’s current password
Download : How to Extend Password Expiry Date in AD.pdf