PSO and user property settings
I have a Password Policy in place but some Admins are changing users account options so the policy is getting ignored, see below.
is there a script I could schedule to run every day that removes these checked boxes on just the users affected by the password policy?
-
Edited by
jamicon
Tuesday, January 27, 2015 2:34 PM
January 27th, 2015 5:28pm
You'll have to scope this properly using -SearchBase:
Get-ADUser -Filter "PasswordNeverExpires -eq '$true'" -Properties CannotChangePassword -SearchBase 'OU=Test,DC=domain,DC=com' |
Where { $_.CannotChangePassword } |
Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -WhatIf
January 27th, 2015 5:45pm
You can set that in Group Policy as part of the password policy. GP will then block it from being changed.
January 27th, 2015 5:52pm
I love it!
So after I edit -SearchBase what format should I save it as and where do I plug it in as?
January 27th, 2015 11:33pm
what??? Where??? Really!!!!
That's my answer!!!!
For example I have the PSO applied to me but I am set to not expire, I can test on myself.
please share my friend.
-
Edited by
jamicon
Tuesday, January 27, 2015 8:39 PM
January 27th, 2015 11:33pm
So after I edit -SearchBase what format should I save it as and where do I plug it in as?
Just put the DN of the OU you're interested in for the -SearchBase and run the script (save as a ps1 file and run it via the PowerShell console, just as usual). Currently the script won't actually make any changes, because of the -WhatIf switch on Set-ADUser.
If you're happy with the initial output of users who would be affected, you can remove the -WhatIf switch and run the script again to make the changes.
January 27th, 2015 11:48pm
jrv
please tell me how, this would be exactly what I'm looking for, does it have to do with editing the extensions to the password group?
January 29th, 2015 9:21pm
Post in GP forum to get full guidance on managing password requirements. There are a number of ways to do it.
January 29th, 2015 10:09pm
ok, its there now.
January 29th, 2015 11:30pm
jrv
So far nobody has the answer...
January 30th, 2015 1:50am
January 30th, 2015 2:07am
this does not address my problem
January 30th, 2015 3:23am
this does not address my problem
you do see the picture right?
January 30th, 2015 3:24am
this does not address my problem
you do see the picture right?
Are you trying to disable password security? You can't is policies are enable. The settings in the GUI will be ignored.
January 30th, 2015 3:33am
its not being ignored
my test account does not have it set that way and it was forced to change password
my other test account has it set to never expire and it hasn't been force to change password.
January 30th, 2015 11:26pm
can this work on a global group?
January 30th, 2015 11:28pm
its not being ignored
my test account does not have it set that way and it was forced to change password
my other test account has it set to never expire and it hasn't been force to change password.
Clearly your GPO is not targeting your OU correctly. Also Administrators are, to some degree, exempt and can reset that setting unless the security is changed.
January 30th, 2015 11:34pm
jrv - you can stop replying now, thanks.
Mike L - I think your solution is the only way to go, schedule this to run daily, will it work against a global group?
February 2nd, 2015 8:36am
Mike L - I think your solution is the only way to go, schedule this to run daily, will it work against a global group?
Yes, but the script as written gets users in/under an OU, not a group. If you want to use groups instead, use the Get-ADGroupMember cmdlet to get the user list and then pipe into Get-ADUser to get the properties you need to test against.
February 2nd, 2015 8:42am
jrv - you can stop replying now, thanks.
Mike L - I think your solution is the only way to go, schedule this to run daily, will it work against a global group?
Just si you know; if GP is set to manage password policy thisz will likely just get reset every 30 minutes or more often. GP wil always override this and GP on a Domain Controller runs every 5 minutes.
February 2nd, 2015 9:10am