Password expiration

  • Thread starter Thread starter Lance Simmons
  • Start date Start date
L

Lance Simmons

We have about 1300 Active Directory accounts that are
currently flagged to have their passwords "never expire".
We want to start expiring passwords, but we don't want
them to all expire at once. I was thinking about setting
the pwdLastSet value in each of the 1000 accounts to a
random date between today and 90 days from now (so that
passwords expire over the next 90 days on at an "even"
rate). My understanding is that the pwdLastSet is
an "Integer8" value containing a special date/time offset.
The only documented settings for this field are 0 (expire
now) and -1 (never expire). If I try to set the pwdLastSet
to an arbitrary value, I get a scripting error. Does
anyone have any ideas about how we can best accomplish
what we want to do? We would like to avoid any sort of
daily, manual processes to change account settings (15 a
day, etc.)
 
I was thinking about setting
the pwdLastSet value in each of the 1000 accounts to a
random date between today and 90 days from now (so that
passwords expire over the next 90 days on at an "even"
rate)
Click to expand...

But watch out. Passwords will expire on Sat and Sun making Monday morning
hell for the support staff. Maybe if you do the randomizer you could
follow up w/ a second set that says if pwdLastSet = Sat change to Tue, if
pwdLastSet = Sun change to Thur.

Keep in mind I know absolutely nothing about AD, but I have had to change
a thousand profiles before. They almost pelted me with rocks and garbage
he he

~r
 
You're absolutely right about the potential impact on our
Help Desk staff when/if we expire a lot of passwords at
once. And that's precisely what we want to avoid. It
appears as if the pwdLastSet value in AD is impervious to
updates (it's "owned" by the SAM), so we'll have to come
up with another approach. What did you do in (apparently)
similar circumstances?
 
How do you know the password expiration won't be staggered on its own

Meaning, you have 1000 users. You can run a script to dump out the password ages - and given that they are not all the same, you can start ratcheting down the "password expires after" value, starting at a number that will only effect a few users, and slowly working your way down to the desired value

I'm pretty sure that http://www.microsoft.com/technet/scriptcenter will have the password age script.
 
Brilliant. We'll give it a try!
Thanks.
-----Original Message-----
How do you know the password expiration won't be staggered on its own?

Meaning, you have 1000 users. You can run a script to
Click to expand...
dump out the password ages - and given that they are not
all the same, you can start ratcheting down the "password
expires after" value, starting at a number that will only
effect a few users, and slowly working your way down to
the desired value.
I'm pretty sure that
Click to expand...
http://www.microsoft.com/technet/scriptcenter will have
the password age script.
 
Back
Top