how do I fix the ADSI line in this script??

I want to test a password reminder script that runs at login.
I found this code for doing so:

Bind to user object in AD.

$User = [ADSI]:“LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local”

Expire password immediately.

$User.pwdLastSet = 0

Save change in AD.


Problem is that PS throws an error on the ADSI line.

Unexpected token ‘:“LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local”’ in expression or statement.
+ CategoryInfo : ParserError: (:slight_smile: [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : UnexpectedToken

The original code line says:
$User = [ADSI]:“LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com”

It’s possible I could be doing something else wrong but I thought/hope someone could take a quick look at this??
I know I can test with group policy…but that is cumbersome etc.

Or maybe there is another way for me to get the specific user instead of this LDAP??
The specific user I want to test on is me BTW.

Thank you, Tom

You’ve an unnecessary colon, as the error indicates:

$User = [ADSI]:"LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local"

Should be:

$User = [ADSI]"LDAP://cn=Tom Lyczko,ou=NCMSO Users,dc=ncmso,dc=local"

There’s no colon between the type accelerator [ADSI] and the string.


$User = [ADSI]“LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com”

that’s without the : after [ADSI]

As a note, here’s a good article on using the [ADSI] type accelerator:

OIC…now I understand to look where the red curly line STARTS for debugging. Thank you.

Now I get

Exception calling “SetInfo” with “0” argument(s): "A device attached to the system is not functioning.

From what little I’ve read so far SetInfo is not supposed to have arguments. What device could it be talking about??

I got the script from

Thank you…

Never mind, I just need to know why SetInfo() does not work??

Denied came from having the /admin parameter, my mistake.

Also I did not know I need to use base64 for pwdlastset, not 1.

Why I can not do SetInfo(), I do not understand.

Thank you, Tom

You mention in the first post you are testing a script to tell the user is about to expire. The script you posted is attempting to SET ad attributes, which pwdLastSet is read-only, see:

When a password is set for an AD User, this value would be updated. Second, if you are trying to do this with a logon script, you should tread lightly. You typically do not want to have any message boxes or anything pop up during logon as this can stop the script executing until the user closes the dialog. Typically, if you want give the user a reminder that their password is expiring, you setup a re-occurring (scheduled) task that gathers the AD information for all users and if their password expires in 14, 7, 2 or 1 day then send an email with the information to the user. Additionally, depending on the client OS, there is also a balloon message that indicates the password is going to expire. You can probably find examples of password reminder scripts if you do some internet searches.

I must do this for ONE user to TEST a password change script.
The script in this thread is not a logon script.
Thank you, Tom

If you are setting the password, then you should look at cmdlets built for this: Set-ADAccountPassword

While you can use ADSI, the only reason to use that method would be if Windows RSAT tools would not be installed on the system, otherwise you should use the ActiveDirectory module since most of the guess work has been taken out of the equation.

I get the sense people are not reading this well.
I’m not setting a password, I’m wanting to set a password expiration.
And I can not do it because I don’t know how to translate int64 to decimal and vice versa. :slight_smile: :slight_smile:
Plus SetInfo() errors out.

Is there a cmdlet that does SetPasswordExpiration equal to 1 day??

Thank you, Tom

According to what I’m seeing, you cannot set a date. Per this article, you can set the value to be -1, which is supposed to use the domain policy age. So, if it’s set to 45 days, the password expiration would be set to 45 days from script execution. If you use 0, the password is set will be set to expired and the user will be required to change the password at next logon. However, this is another article that contests this indicating it cannot be done and you have to expire it immediately. Test it and let us know.

OIC!! Thank you!!
Appears one can not change password expiry time via script.
Though I can try making a custom group policy and apply it to a test account/OU.
I’m trying to figure out how to see if the password change reminder script actually works without waiting 90 days, sigh.
Thank you, Tom

Since you cannot change the value of the pwdlastset attribute I’d suggest changing your method of verifying that your logic in the script is correct. You have two known variables (pwdlastset of a user and the time difference that you wish to check). Therefore I’d just use the logic you are verifying and simply write a script, have it check the pwdlastset value and output the difference. Once you know the value of pwdlastset, you should know what to expect from your logic in checking the difference in time.