4

I have a customer who's users all access the solution via RDP and whom are all set to 'password never expires' in AD.

We're enforcing a password expiration policy and introducing a self-serve credential manager to allow the users to change their password in the event that it expires.

I've noticed, however, that as soon as I uncheck 'password never expires' for a user, that user is immediately unable to log in. If I try the account locally, I'm advised that the password has expired. If I go into AD and change the password, the account can log in once more.

If I had to guess, I'd say that Windows is probably recognising that my current password is greater than X days old or something.

Its worth mentioning aswell that the 'account expires' option is still set to 'Never', but that i've tried adjusting this to the future and it made no difference.

enter image description here

What I really want to do is wind back the clock so that when I uncheck the 'password never expires' option, the users have like a short period... perhaps 7 days or so in which to update their password before they expire and they are unable to log in, but during which they can keep and use their existing password.

Any help is appriciated :)

John
  • 541
  • 4
  • 17
  • 34

1 Answers1

5

pwdLastSet attribute is used to calculate the password age.

The value is protected, and the only value you can set there is 0 or -1.

The value you look for is -1, the system will put the pwdLastSet to the current date/time. Thus the 90 days, or any defined time period, will start again from the start.

0 would do the opposite, it would expire the password right now.

You set it to 0, manually or with a script, you then set it to -1 and uncheck the Never Expire option after for the account.

Example, before;

enter image description here

After the set to 0, and -1;

enter image description here

yagmoth555
  • 16,758
  • 4
  • 29
  • 50
  • Nice. I knew about the 0 value. But had no idea -1 worked differently. It should also probably be noted that if their password policy has a *minimum* age defined, doing this will also prevent people from changing their password until that minimum age has been reached (barring administrative reset). – Ryan Bolger Feb 14 '18 at 18:29
  • 2
    I think it needs to be set to 0, then to -1 to work as expected. Also may set the current datetime when this is done - without a logon. – Greg Askew Feb 14 '18 at 19:04
  • Ok... this sounds exactly like what I'm after, but how do i change the value to -1? I read the following article and tried that method, but pwdlastset remained a date in the past and didnt update to a current date and time.... https://social.technet.microsoft.com/Forums/windowsserver/en-US/6622c897-c460-41ce-a237-a6eabff3ca12/why-cant-i-set-pwdlastset-with-setaduser?forum=winserverpowershell – John Feb 15 '18 at 09:45
  • 1
    @John Greg was right, you need to set 0, apply, and after -1 to have it work as expected. Will update my asnwer – yagmoth555 Feb 15 '18 at 13:56
  • 1
    @GregAskew Thanks for the reminder, tested it this morning and you are absolutely right, need to set 0, and after -1 to have it work as expected – yagmoth555 Feb 15 '18 at 13:57
  • Great - thanks guys, that worked a treat! One last question if I may... does anyone know how long before expiry Windows will prompt that its going to expire? – John Feb 16 '18 at 13:21