I have a Password Policy in place but some Admins are changing users account options so the policy is getting ignored, see below.

is there a script I could schedule to run every day that removes these checked boxes on just the users affected by the password policy?

• Edited by jamicon Tuesday, January 27, 2015 2:34 PM

You'll have to scope this properly using -SearchBase:

Get-ADUser -Filter "PasswordNeverExpires -eq '$true'" -Properties CannotChangePassword -SearchBase 'OU=Test,DC=domain,DC=com' |
    Where { $_.CannotChangePassword } |
        Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -WhatIf

You can set that in Group Policy as part of the password policy.  GP will then block it from being changed.

I love it!

So after I edit -SearchBase what format should I save it as and where do I plug it in as?

what??? Where??? Really!!!!
 That's my answer!!!!

For example I have the PSO applied to me but I am set to not expire, I can test on myself.

please share my friend.

• Edited by jamicon Tuesday, January 27, 2015 8:39 PM

So after I edit -SearchBase what format should I save it as and where do I plug it in as?

Just put the DN of the OU you're interested in for the -SearchBase and run the script (save as a ps1 file and run it via the PowerShell console, just as usual). Currently the script won't actually make any changes, because of the -WhatIf switch on Set-ADUser.

If you're happy with the initial output of users who would be affected, you can remove the -WhatIf switch and run the script again to make the changes.

jrv

please tell me how, this would be exactly what I'm looking for, does it have to do with editing the extensions to the password group?

Post in GP forum to get full guidance on managing password requirements.  There are a number of ways to do it.

ok, its there now.

jrv

So far nobody has the answer...

https://technet.microsoft.com/library/hh994562(v=ws.10).aspx

The users must be in an OU andnot just in Users.

You may want to not allow help desk people to have admin accounts.  Make them Account Operators.  You can then protect that setting in AD with  security.

here are the rest:https://technet.microsoft.com/en-us/library/hh994572(v=ws.10).aspx

this does not address my problem

this does not address my problem

you do see the picture right?

this does not address my problem

you do see the picture right?

Are you trying to disable password security?  You can't is policies are enable.  The settings in the GUI will be ignored.

its not being ignored

my test account does not have it set that way and it was forced to change password

my other test account has it set to never expire and it hasn't been force to change password.

can this work on a global group?

its not being ignored

my test account does not have it set that way and it was forced to change password

my other test account has it set to never expire and it hasn't been force to change password.

Clearly your GPO is not targeting your OU correctly.  Also Administrators are, to some degree, exempt and can reset that setting unless the security is changed.

jrv - you can stop replying now, thanks.

Mike L - I think your solution is the only way to go, schedule this to run daily, will it work against a global group?

Mike L - I think your solution is the only way to go, schedule this to run daily, will it work against a global group?

Yes, but the script as written gets users in/under an OU, not a group. If you want to use groups instead, use the Get-ADGroupMember cmdlet to get the user list and then pipe into Get-ADUser to get the properties you need to test against.

jrv - you can stop replying now, thanks.

Mike L - I think your solution is the only way to go, schedule this to run daily, will it work against a global group?

Just si you know; if GP is set to manage password policy thisz will likely just get reset every 30 minutes or more often.  GP wil always override this and GP on a Domain Controller runs every 5 minutes.