Problem is that PS throws an error on the ADSI line.
Unexpected token ‘:“LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local”’ in expression or statement.
+ CategoryInfo : ParserError: ( , ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken
The original code line says:
$User = [ADSI]:“LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com”
It’s possible I could be doing something else wrong but I thought/hope someone could take a quick look at this??
I know I can test with group policy…but that is cumbersome etc.
Or maybe there is another way for me to get the specific user instead of this LDAP??
The specific user I want to test on is me BTW.
You mention in the first post you are testing a script to tell the user is about to expire. The script you posted is attempting to SET ad attributes, which pwdLastSet is read-only, see:
When a password is set for an AD User, this value would be updated. Second, if you are trying to do this with a logon script, you should tread lightly. You typically do not want to have any message boxes or anything pop up during logon as this can stop the script executing until the user closes the dialog. Typically, if you want give the user a reminder that their password is expiring, you setup a re-occurring (scheduled) task that gathers the AD information for all users and if their password expires in 14, 7, 2 or 1 day then send an email with the information to the user. Additionally, depending on the client OS, there is also a balloon message that indicates the password is going to expire. You can probably find examples of password reminder scripts if you do some internet searches.
If you are setting the password, then you should look at cmdlets built for this: Set-ADAccountPassword
While you can use ADSI, the only reason to use that method would be if Windows RSAT tools would not be installed on the system, otherwise you should use the ActiveDirectory module since most of the guess work has been taken out of the equation.
I get the sense people are not reading this well.
I’m not setting a password, I’m wanting to set a password expiration.
And I can not do it because I don’t know how to translate int64 to decimal and vice versa.
Plus SetInfo() errors out.
Is there a cmdlet that does SetPasswordExpiration equal to 1 day??
According to what I’m seeing, you cannot set a date. Per this article, you can set the value to be -1, which is supposed to use the domain policy age. So, if it’s set to 45 days, the password expiration would be set to 45 days from script execution. If you use 0, the password is set will be set to expired and the user will be required to change the password at next logon. However, this is another article that contests this indicating it cannot be done and you have to expire it immediately. Test it and let us know.
OIC!! Thank you!!
Appears one can not change password expiry time via script.
Though I can try making a custom group policy and apply it to a test account/OU.
I’m trying to figure out how to see if the password change reminder script actually works without waiting 90 days, sigh.
Thank you, Tom
Since you cannot change the value of the pwdlastset attribute I’d suggest changing your method of verifying that your logic in the script is correct. You have two known variables (pwdlastset of a user and the time difference that you wish to check). Therefore I’d just use the logic you are verifying and simply write a script, have it check the pwdlastset value and output the difference. Once you know the value of pwdlastset, you should know what to expect from your logic in checking the difference in time.
, ParentContainsErrorRecordException