Hello,
A quick tech tip here for admins with Windows Powershell. As an IT professional that has worked in both centralized and decentralized environment, passwords remain one of the most challenging aspect of user support. The fact that a user will forget his/her password for login or e-mail is a technical constant in the support universe, and those are the passwords that are used frequently. Passwords that are not as frequent represent the best of lost causes.
A new feature added to Active Directory Domain Services (AD DS) in Windows Server 2008 is ‘fine-grained password policies’, the ability to define more than one set of password requirements per single Active Directory domain. Fine-grained policies can be applied to groups within Active Directory and not directly to OUs. The tricky thing to remember about password policies, when used with group policy in Active Directory is that they are only applied when a user changes his or her password. If the password policy is enabled or changed while the user is logged in, they will have to wait until their password is changed for the new settings to come into effect.
A nice way to streamline all of this is with a simple little powershell script that forces all users in a domain to change their password, the next time they log into Windows.
Set objOU = GetObject(“LDAP://ou=OUName, dc=domain, dc=com”)
objOU.Filter = Array(“user”)
For Each objUser in objOU
objUser.pwdLastSet = 0
objuser.SetInfo
Next
Save and run the above script as an administrative user and each user in the specified OU will have to change their password, the next time they log in.
Tags: 2008, active directory, AD DS, change, group policy, passwords, powershell, script, windows
