janikvonrotz
12/13/2013 - 11:48 AM
PowerShell: Custom Active Directory Password Policy #PowerShell #ActiveDirectory
PowerShell: Custom Active Directory Password Policy #PowerShell #ActiveDirectory
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2013-03-20T14:18:21.6393172</Date>
<Author>Janik von Rotz (http://janikvonrotz.ch)</Author>
<Description>Disabe Users With Password Never Expires</Description>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2013-01-01T03:30:00</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>$PSapps.PowerShell</Command>
<Arguments>$(Get-ChildItem -Path $PSscripts.Path -Filter "Disable-UsersWithPasswordNeverExpires.ps1" -Recurse).Fullname</Arguments>
<WorkingDirectory>$PSProfile.Path</WorkingDirectory>
</Exec>
</Actions>
</Task><#
$Metadata = @{
Title = "Disabe Users With Password Never Expires"
Filename = "Disable-UsersWithPasswordNeverExpires.ps1"
Description = ""
Tags = "powershell, script, jobs"
Project = ""
Author = "Janik von Rotz"
AuthorContact = "http://.janikvonrotz.ch"
CreateDate = "2013-12-13"
LastEditDate = "2013-12-13"
Version = "1.0.0"
License = @'
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>
try{
#--------------------------------------------------#
# modules
#--------------------------------------------------#
Import-Module ActiveDirectory
#--------------------------------------------------#
# settings
#--------------------------------------------------#
$DaysBeforeDisablingUsersWithPasswordNeverExpires = 180
$ADGroupWithUsersPasswordNeverExpires = "S-1-5-21-1744926098-708661255-2033415169-36648" # Memberof GroupName should be "SPO_PasswordNotification"
#--------------------------------------------------#
# main
#--------------------------------------------------#
Get-ADGroupMember $ADGroupWithUsersPasswordNeverExpires -Recursive |
Get-ADUser -Properties Enabled, PasswordNeverExpires, PasswordLastSet |
Select *, @{L = "PasswordExpires";E = {((Get-Date) - ($_.PasswordLastSet)).Days}} |
where{($_.Enabled -eq $true) -and ($_.PasswordNeverExpires -eq $true) -and ($_.PasswordExpires -eq $DaysBeforeDisablingUsersWithPasswordNeverExpires)} | %{
Write-PPEventLog "Enabled Passwort Expiration for: $($_.UserPrincipalName)." -WriteMessage -Source "Disabe Users With Password Never Expires"
Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false
}
}catch{
Write-PPErrorEventLog -Source "Disabe Users With Password Never Expires" -ClearErrorVariable
}