I have the following .ps1 that does what I want for user members but does not read users in a nested group, can you help me please?

import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" | Set-ADUser -PasswordNeverExpires:$FALSE
Get-ADGroupMember -identity "CGI VPN Password Policy" | Set-ADUser -CannotChangePassword:$FALSE

Try using -Recursive.

You can also set multiple attributes at one time by using -Replace.

Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}

• Marked as answer by jamicon 20 hours 14 minutes ago

or where do I insert -Recursive?

and thanks for the tip

like this?

import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" -Recursive | Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}

• Edited by jamicon 21 hours 11 minutes ago

Correct.  Hopefully that will give you what you want.

• Marked as answer by jamicon 19 hours 21 minutes ago

Hi,

Try it like this:

Get-ADGroupMember -Identity 'CGI VPN Password Policy' -Recursive | 
    Set-ADUser -CannotChangePassword:$false -PasswordNeverExpires:$false -WhatIf

Remove the -WhatIf to actually make the change.

I've used this example in one of my scripts to return all the nested groups. This may help.

Get-ADGroupMember -Identity <GroupName> | Where-Object {($_.objectClass) -eq "group"} | Get-ADGroupMember -Recursive | Select-Object -Unique

• Edited by tommymaynard 20 hours 26 minutes ago
• Marked as answer by jamicon 20 hours 18 minutes ago
• Unmarked as answer by jamicon 20 hours 16 minutes ago
• Marked as answer by jamicon 19 hours 21 minutes ago

Correct.  Hopefully that will give you what you want.

Just a heads up:

Set-ADUser : The specified directory service attribute or value does not exist
Parameter name: CannotChangePassword

thanks everyone!!

just some feedback.

When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.

how weird is that.

just some feedback.

When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.

how weird is that.

When you use -replace you have to give it the proper name of the AD attribute, in the case of "cannot change password" the attribute (actually named useraccountcontrol) cannot be modified directly (for this flag at least) as it is a permission on the user object. I usually like using -replace but it's not a great choice in this instance.

• Marked as answer by jamicon 19 hours 21 minutes ago

Try using -Recursive.

You can also set multiple attributes at one time by using -Replace.

Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}

• Marked as answer by jamicon Wednesday, February 18, 2015 3:16 PM

Try using -Recursive.

You can also set multiple attributes at one time by using -Replace.

Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}

• Marked as answer by jamicon Wednesday, February 18, 2015 3:16 PM

or where do I insert -Recursive?

and thanks for the tip

like this?

import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" -Recursive | Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}

• Edited by jamicon Wednesday, February 18, 2015 2:19 PM

or where do I insert -Recursive?

and thanks for the tip

like this?

import-module activedirectory
Get-ADGroupMember -identity "CGI VPN Password Policy" -Recursive | Set-ADUser -Replace @{PasswordNeverExpires=$false;CannotChangePassword=$false}

• Edited by jamicon Wednesday, February 18, 2015 2:19 PM

Correct.  Hopefully that will give you what you want.

• Marked as answer by jamicon Wednesday, February 18, 2015 4:09 PM

Correct.  Hopefully that will give you what you want.

• Marked as answer by jamicon Wednesday, February 18, 2015 4:09 PM

I've used this example in one of my scripts to return all the nested groups. This may help.

Get-ADGroupMember -Identity <GroupName> | Where-Object {($_.objectClass) -eq "group"} | Get-ADGroupMember -Recursive | Select-Object -Unique

• Edited by tommymaynard Wednesday, February 18, 2015 3:04 PM
• Marked as answer by jamicon Wednesday, February 18, 2015 3:12 PM
• Unmarked as answer by jamicon Wednesday, February 18, 2015 3:14 PM
• Marked as answer by jamicon Wednesday, February 18, 2015 4:09 PM

I've used this example in one of my scripts to return all the nested groups. This may help.

Get-ADGroupMember -Identity <GroupName> | Where-Object {($_.objectClass) -eq "group"} | Get-ADGroupMember -Recursive | Select-Object -Unique

• Edited by tommymaynard Wednesday, February 18, 2015 3:04 PM
• Marked as answer by jamicon Wednesday, February 18, 2015 3:12 PM
• Unmarked as answer by jamicon Wednesday, February 18, 2015 3:14 PM
• Marked as answer by jamicon Wednesday, February 18, 2015 4:09 PM

just some feedback.

When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.

how weird is that.

When you use -replace you have to give it the proper name of the AD attribute, in the case of "cannot change password" the attribute (actually named useraccountcontrol) cannot be modified directly (for this flag at least) as it is a permission on the user object. I usually like using -replace but it's not a great choice in this instance.

• Marked as answer by jamicon Wednesday, February 18, 2015 4:08 PM

just some feedback.

When I ran my original with -recursive the cannotcnahgepassword works but when I tried it with the @ suggested script it errored and did not work on cannotchangepassword.

how weird is that.

When you use -replace you have to give it the proper name of the AD attribute, in the case of "cannot change password" the attribute (actually named useraccountcontrol) cannot be modified directly (for this flag at least) as it is a permission on the user object. I usually like using -replace but it's not a great choice in this instance.

• Marked as answer by jamicon Wednesday, February 18, 2015 4:08 PM