Use PowerShell to require users with the oldest passwords to change their passwords

This PowerShell script will help you find the Active Directory users who have gone the longest without changing their password, and then require them to change their password the next time they logon to a domain resource.

Consider this a password policy on a bell curve that targets those users who have the oldest Password Last Set (e.g. PasswordLastSet) date.

I wrote it to help my environment gradually adjust to a new password policy. Instead of making changes to many accounts all at the same time, I use a Scheduled Task to run this script once a night, effecting a small number of users each day. Once caught up, I’ll stop using this script.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Require users to change their passwords, starting with those who have the oldest Password Last Set date
# By Jason Pearce (jasonpearce.com)
 
# Variable: Define an array of OUs that contain user accounts you want to target, using Distinguished Name (DN)
$OUs = 'OU=United States,OU=North America,DC=domain,DC=local' , 'OU=Canada,OU=North America,DC=domain,DC=local'
 
# Variable: Define the quantity of users you wish to modify
$Qty = 10
 
# Get: Load those users into an array
$OldestPasswords = $OUs | ForEach { Get-ADUser -SearchBase $_ -Filter {Enabled -eq $True} -Properties SamAccountName, passwordlastset } | Sort-Object passwordlastset | Select-Object -First $Qty
 
# Change: Force selected users to change their password the next time they log on (remove -WhatIf)
$OldestPasswords | Set-ADUser -CannotChangePassword $False -ChangePasswordAtLogon $True -PasswordNeverExpires $False -PasswordNotRequired $False -WhatIf

There you have it. In this example, your 10 worst offenders will be required to change their password the next time they logon. Those who regularly change their password won’t be affected (unless you run this script indefinitely).