When a user changes his password, it's typically sometime during the day. This means that a password expiration date set to last change + n days will result in the password expiring during the day. How can I force the passwords to expire at midnight of that day instead?
How can i configure active directory to make passwords expire at midnight
active-directorypassword-management
Related Topic
- Linux – How to configure password maximum days before it expires
- AD User Passwords expiring without any notifications
- Centos – way to prevent password expiration when user has no password
- How to Mac users change their Windows Active Directory passwords over a VPN connection
- Reset users password in Active Directory by Domain Admin account or other service account
- Powershell – Active Directory: Track old password changes and expiry dates
- What is ADFS (Active Directory Federation Services)?
- Active Directory password change: Re-Allow current password
Best Answer
I don't believe that is possible without manually changing the
PwdLastSet
attribute within ADSI Edit, which I wouldn't recommend doing.The value is stored in 100-nanosecond intervals since 12:00 am January 1, 1601. However, your only options to edit the attribute are to set it to
0
(password is now expired and user must reset), or-1
(value for PwdLastSet is changed to the current date/time).As mentioned in comments, you would need to set the value to
0
first, then set it to-1
.You could potentially write a script to update the attribute to
-1
at midnight on a given day for all users. However, this would set all your user's passwords to expire @ midnight in N days (N being your domain password policy max age setting). This could potentially extend the max age of a password.What is your goal in setting the password to expire at midnight?