A PowerShell script to extend the password expiration date for users in bulk. Each user modified by this script will have their password expire MaxPasswordAge days after they next logon.
The PowerShell MaxPasswordAge property specifies the timespan after the password is changed before it will expire. If the user is subject to the domain password policy, it corresponds to the maxPwdAge attribute of the domain object. If the user is subject to a Fine-Grained Password Policy (FGPP), it corresponds to the msDS-MaximumPasswordAge attribute of the Password Setting Object (PSO) that applies.
The pwdLastSet Active Directory attribute of users is syntax LargeInteger. It is a 64-bit integer that represents DateTime values as the number of 100-nanosecond intervals (also called ticks) since 12:00 am January 1, 1601. That is the zero date for LargeInteger DateTime values. The value is also in Coordinated Universal Time (UTC, for the French term), which used to be called GMT. The system updates the value whenever the password is changed.
The only values that administrators are allowed to assign to pwdLastSet are 0 and -1. The value 0 corresponds to the long ago zero date, so the user password is expired at once. When you select "User must change password at next logon" on the "Account" tab of ADUC, the GUI assigns 0 to the pwdLastSet attribute.
The only other value administrators can assign is -1. Because of the way 64-bit integers are saved in AD, this becomes the largest value that can be saved in a 64-bit register. This huge number corresponds to September 14 in the year 30828. But if pwdLastSet has this value, the system will change it to the value corresponding to the current DateTime the next time the user logs on. Then the password will expire after the maximum password age setting that applies to that user has passed from that point in time. A quirk is that you cannot assign -1 until you first assign 0.
You can take advantage of these features to extend password expiration for one or more users in bulk. There is no way to make passwords expire on a specified date. But all users modified by this script will have their password expire MaxPasswordAge days after they next logon, where MaxPasswordAge is the policy that applies to the user.
To avoid having many user passwords expire at almost the same time, this script allows you to stagger password expiration, by only modifying users in groups, perhaps one group per week. Each group would be in a separate CSV file.
To run the script, review and possibly modify these two values for your situation.
StaggerPWExp.txt <<-- Click here to view or download the program