janikvonrotz
12/13/2013 - 11:48 AM

PowerShell: Custom Active Directory Password Policy #PowerShell #ActiveDirectory

PowerShell: Custom Active Directory Password Policy #PowerShell #ActiveDirectory

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2013-03-20T14:18:21.6393172</Date>
    <Author>Janik von Rotz (http://janikvonrotz.ch)</Author>
	<Description>Disabe Users With Password Never Expires</Description>
  </RegistrationInfo>
  <Triggers>
    <CalendarTrigger>
      <StartBoundary>2013-01-01T03:30:00</StartBoundary>
      <Enabled>true</Enabled>
      <ScheduleByDay>
        <DaysInterval>1</DaysInterval>
      </ScheduleByDay>
    </CalendarTrigger>
  </Triggers>
  <Settings>
    <MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>false</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>P3D</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>$PSapps.PowerShell</Command>
      <Arguments>$(Get-ChildItem -Path $PSscripts.Path -Filter "Disable-UsersWithPasswordNeverExpires.ps1" -Recurse).Fullname</Arguments>
      <WorkingDirectory>$PSProfile.Path</WorkingDirectory>
    </Exec>
  </Actions>
</Task>
<#
$Metadata = @{
	Title = "Disabe Users With Password Never Expires"
	Filename = "Disable-UsersWithPasswordNeverExpires.ps1"
	Description = ""
	Tags = "powershell, script, jobs"
	Project = ""
	Author = "Janik von Rotz"
	AuthorContact = "http://.janikvonrotz.ch"
	CreateDate = "2013-12-13"
	LastEditDate = "2013-12-13"
	Version = "1.0.0"
	License = @'
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>

try{

    #--------------------------------------------------#
    # modules
    #--------------------------------------------------#    
    Import-Module ActiveDirectory
	
    #--------------------------------------------------#
    # settings
    #--------------------------------------------------#   
	$DaysBeforeDisablingUsersWithPasswordNeverExpires = 180
	$ADGroupWithUsersPasswordNeverExpires = "S-1-5-21-1744926098-708661255-2033415169-36648" # Memberof GroupName should be "SPO_PasswordNotification"      
    
    #--------------------------------------------------#
    # main
    #--------------------------------------------------#
             
    Get-ADGroupMember $ADGroupWithUsersPasswordNeverExpires -Recursive | 
    Get-ADUser -Properties Enabled, PasswordNeverExpires, PasswordLastSet |
    Select *, @{L = "PasswordExpires";E = {((Get-Date) - ($_.PasswordLastSet)).Days}} |
    where{($_.Enabled -eq $true) -and ($_.PasswordNeverExpires -eq $true) -and ($_.PasswordExpires -eq $DaysBeforeDisablingUsersWithPasswordNeverExpires)} | %{ 
         
       Write-PPEventLog "Enabled Passwort Expiration for: $($_.UserPrincipalName)." -WriteMessage -Source "Disabe Users With Password Never Expires"                  
       Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false        
    }   
}catch{

	Write-PPErrorEventLog -Source "Disabe Users With Password Never Expires" -ClearErrorVariable
}