This script forces users to change their password if they haven’t changed it in the last 5 days. I also filtered this by site (OU) in AD.
#create all necessary variables
$currenttime = get-date
$lasttime = $currenttime.AddDays(-5)
$changedusers = @()
$allsites = @()
#choose users from specific sites and add them to the array
$site1 = Get-ADUser -Filter * -SearchBase “OU=myou,DC=mydomain,DC=local” -Properties passwordlastset
$allsites += $site1
$site2 = Get-ADUser -Filter * -SearchBase “OU=myou,DC=mydomain,DC=local” -Properties passwordlastset
$allsites += $site2
$site3 = Get-ADUser -Filter * -SearchBase “OU=myou,DC=mydomain,DC=local” -Properties passwordlastset
$allsites += $site3
$site4 = Get-ADUser -Filter * -SearchBase “OU=myou,DC=mydomain,DC=local” -Properties passwordlastset
$allsites += $site4
#nested for loop to go through each site then each user in each site
foreach ($site in $allsites) {
foreach ($user in $site) {
#if user pass last reset is greater than 5 days ago or it’s empty, reset it, add it to an array for later
if ($user.PasswordLastSet -le $lasttime -or $user.PasswordLastSet -eq $null)
{
$user | set-aduser -ChangePasswordAtLogon:$True
$changedusers += $user.Name
}
}
}
#export results
$changedusers | out-file C:\changedusers.txt