How to expire select users passwords

Hello, this is my first post on this forum. I searched through the forums and didn’t see a match to this topic but apologize if there is.

Due to the recent well known security bug we would like to expire users passwords that have used their credentials on sites that had the vulnerability. Forcing users to change their password on next logon is a possibility but not optimal. Group policy has the capability to set password policies but can a fine grained password policy be used on users that don’t share an group? Is it possible to grab a subset of AD users and change their password change date (expiration date) via PowerShell? pwdLastSet seems like it can be modified but not in a way to pick a date a user would need to change their password.

So this would be a subset of AD users that don’t share a unique AD group but need to change their password in the near future.

Thanks for any assistance.

When you assign a value of 0 to the pwdLastSet attribute, you force the user to change their password on next logon. If you’re using the PowerShell ActiveDirectory module, you can simply call Set-ADUser with the -ChangePasswordAtLogon $true argument. (Under the hood, this will do the same thing; assign a value to pwdLastSet in AD.)

Thanks Dave. We’ll consider the effects of requiring a change on next logon.

If the goal isn’t to have users change their password at next logon, what is the goal? I’m not understanding how setting the password to expired is different, I guess…?

Looking at different options.

Was looking for a way to set a password to expire on x date. This would give time to make the users aware that they needed to change their password. If all of a sudden everyone had to change their password the help desk would be flooded with calls from people who are being required to change their password outside their normal password age expiration window (at least I hope users would question the password change). So was searching for a way that let us set the password age a week out from the notification date. This way the users have a week to change their passwords and if they don’t then they are required to do so on that specified expiration date we set.

Setting the pwdLastSet attribute to 0 would get the job done if its decided that all users need to change their password on next logon and we skip the grace period to change it on their own.

Sounds more like a communication thing. Start telling users to change now - they can do that without you making any changes in AD. Announce a deadline. On that day, expire all passwords that haven’t been changed in the last however many days. Easy enough to do.