How Can I Cause a User’s Password to Expire?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I cause a user’s password to expire?

-- GB

SpacerHey, Scripting Guy! AnswerScript Center

Hey, GB. You know, one thing people dislike about politicians is that any time you ask them a question many politicians will give you an answer to a different question. Even worse, if you press them on that point they’ll tell you that there’s a good reason why they did that: after all, it’s for your own good.

What does that have to do with the Hey, Scripting Guy! column? Well, instead of answering the question you asked, we’re going to answer a different question. But don’t worry: it’s for your own good.

So why is this for your own good? Well, we’re assuming there’s only one reason why you’d want to expire a user’s password: you want the user to have to change that password the next time they log on. You wouldn’t expire a password in order to prevent a user from logging on; if you don’t want a user logging on then you should disable or delete the user account. We want to force a user to change their password the next time they log on, and there’s an easier way to do that than by changing the password expiration date. All you have to do is run this little script instead:

Set objUser = GetObject("LDAP://CN=myerken,OU=Finance,DC=Fabrikam,DC=com")

objUser.pwdLastSet = 0

That’s right: there really isn’t much to it, is there? We begin by binding to the user account in Active Directory; that’s what this line of code is for:

Set objUser = GetObject("LDAP://CN=myerken,OU=Finance,DC=Fabrikam,DC=com")

Having done that, we then set the value of the pwdLastSet attribute to 0. pwdLastSet is an attribute that stores the date and time that the password for a given account was last set. If pwdLastSet is equal to 0 the user will have no choice but to change their password the next time they log on. In other words, without having to mess around with dates and times we’ve essentially “expired” their password: their current password will have to be changed the next time they log on. We set pwdLastSet to 0, then call the SetInfo method to write the change back to Active Directory.

Incidentally, you can do the same sort of thing with local user accounts using a script like this:

strComputer = "atl-win2k-01"
Set objUser = GetObject("WinNT://" & strComputer & "/kenmyer")

objUser.PasswordExpired = 1

In this script, we bind to the Ken Myer account on the computer atl-win2k-01 and then set the value of the PasswordExpired attribute to 1. We call the SetInfo method and, voilà: the next time Ken Myer logs on to this computer he’ll have to change his password.

So there you have it: we answered a question, even though it might not have been the exact question we were asked. Hopefully this will help: the last time we tried giving answers that didn’t match the questions was on our SAT test. That one didn’t work out too well.

Comments (15)

  1. Anonymous says:

    Max Allan: This is Visual Basic Script, not PowerShell. Paste it into a VBS file, and it should do the trick. Provided you updated the distinguished name for the user in question.

  2. Andrea Schuman says:

    How do I actually set it to a date or number of days before expiration?

  3. Ken says:

    Nope… not what I need to do.

    I want to test our VPN's ability to allow password management… and I can't wait until the password expires on the account I'm using and I don't want to build an OU and GPO, etc. or can't because I'm not in the AD group.  

  4. Mark says:

    Great script.  Can you answer Andrea's question?  Also, how do I implement a loop to get all the users in a certain OU and set the value for pwdLastSet?  Please let me know.  Thank you.

  5. Jimy Cao says:

    An answer to the original question would have been more helpful here….

  6. Rhonda says:

    We need to test our GP behavior when passwords are expiring so for testing purposes it would help to have the answer to the original question.

  7. Jim Goldsmith says:

    Usually,there is great information here.

    This is answer missed the point. We can read the standard documentation about 0 or 1 in this field.

    We need some way to manipulate the expiration date, generally, for *testing* purposes.


  8. Max Allan says:

    It fails for me :

    PS C:Windowssystem32> Set objUser = GetObject("LDAP://CN=Max Allan,OU=Users,DC=domain,DC=local")

    Set-Variable : A positional parameter cannot be found that accepts argument 'GetObject'.

    At line:1 char:1

    + Set objUser = GetObject("LDAP://CN=Max Allan,OU=Users,DC=domain,DC=local")

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

       + CategoryInfo          : InvalidArgument: (:) [Set-Variable], ParameterBindingException

       + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SetVariableCommand

    What am I missing?

    (Sorry I am a newb at powershell)

  9. Jason Carpenter says:

    So there’s plenty of reasons to want to set a password to expire for security testing. It’d be nice to know how to modify the password expiration date.

  10. Allen George says:

    I see a number of people that have posted asking the question. You CANNOT change the account password expiration value to anything but 0 or -1. I wanted to change the date to a specific date. AD will not allow anyone but the system to change the value
    to something other than 0 or -1.

  11. Naveed says:

    replace the OU in first line with CN, the script is running fine

    Set objUser = GetObject("LDAP://CN=myerken,CN=Finance,DC=Fabrikam,DC=com")

    objUser.pwdLastSet = 0

  12. Annoyed says:

    This exemplifies why that’s a very poor approach to answering questions.

    As already demonstrated by several other comments, the statement "we’re assuming there’s only one reason why you’d want to expire a user’s password: you want the user to have to change that password the next time they log on" is anything but a foregone conclusion.
    I was also searching on this topic because I want to test the handling of expired passwords by a script. I don’t have an account that’s currently expired whose password I know, and I was hoping to avoid the hassles of setting up a sandbox environment just
    for this. Unfortunately, you’re not answering the question, you’re answering your hasty assumptions about the reason the question was asked.

    In this case, it appears that the correct answer is that you can’t do it. But if that’s the answer, then *say* it. It’s one thing to include in the answer "*if* the reason you’re asking this is that you want to do such-and-such, here’s how you can do it…",
    as long as you don’t substitute that for a response to the question that was asked. But saying "I’m going to answer a different question, and it’s for your own good, because I assume I know what you really want to accomplish and you just didn’t know how to
    ask the right question" is patronizing, and often unhelpful.

  13. pmt says:

    Maybe he wanted to test if the password will expire in days notification is showing in the system tray in a particular user who is having issue with it. And he is looking for a way to do this without affecting an entire group, and without moving the single
    user in a different OU…

  14. Leo Jacob says:

    I know this is old, but the answer to the actual question would be useful.

Skip to main content