PowerShell – RDS – XenApp – Force password change for account near passoword’s expiration date

Hi everyone !

Today I will talk a small tip if you need to want to make sure no password expiration will happen during the day.

Why the tip;

  • It’s a way to prevent any user to need to change the password during a live TS’ session, and at the same would force a re-logging.
    • It will force the user to change at the connection attempt the morning.
  • If you use the Citrix Receiver in  the Windows Client OS with SSO’s option and your PN Agent site is set to  Pass-through Authentication, then that will happen:
    • The receiver will to ask for a password change during the attempt to launch the published application
    • As the password changed, the receiver will pop a windows to enter the new user credential.
    • Indirectly, the Citrix Receiver is now set to a manual authentication, no longer using pass-through authentication (until next time the user change is password…)

The tip make the password expire at X time before the real password expiration

# This PowerShell Script will query Active Directory and return the user accounts with passwords
# set to expire before the end of the next day, export a list of the affected accounts, and require
# a password change at the next logon.  The script is configured to ingore accounts which have been
# configured with passwords that never expire, and to ignore accounts who do not have permission to
# change their own password.  Any other account would be affected, so be warned before running this
# script, as you could experience unintended consequences.  Either modify the script to reduce the
# scope of user accounts, or ensure that accounts that shouldn’t be affected are either flaged with
# a non-expiring password or are flagged with “cannot change password.  When ready to run/schedule
# in production, remove the -WhatIf from the last line.
# – MWT, 10/11/13

# The 89 is based upon your environment. If passwords expire every X (90) days, and you run the script
# in the early morning, you can set it to -1*(X-1) (-89), if you run the script late at night, set it to
# -1*(X-2) (-88).

Import-Module ActiveDirectory # Required for PowerShell 2.0 only

$a = (Get-Date).Date.AddDays(-88)

# The following line will build the variable based upon the noted criteria
$b = Get-ADUser -SearchBase “OU=Contonso,DC=com” -Property Name,SamAccountName,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -Filter {(PasswordLastSet -lt $a) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} | Where-Object {$_.CannotChangePassword -eq $false}

# The following line will display/export the data logging the accounts to be changed; please note the
# Out-File path and change to suit your needs.
$b | Format-Table Name,PasswordLastSet,CannotChangePassword,PasswordNeverExpires -AutoSize

# The following line will actually flag the accounts to require a password change (after -WhatIf is removed)
$b | ForEach-Object {Set-ADUser -Identity $_ -ChangePasswordAtLogon $true}

Now with that script, it can be planned each day to run after the work shift. A -WhatIf can be added to the last line to test the command before running it live.

On top of that tip, we can change the password expiration warning to less than the value we configure the script. In example in the script I do a -2, Thus there for the password expiration warning I would set it to 1. That way I’m sure the user are not remembered to change their password in the session/login.

The group policy to alter this default can be found at: Computer Configuration\Windows Settings\Local Policies\Security Options under Interactive Logon: Prompt user to change password before expiration


Thanks !




nb The original’s script was took there, but it was modified by me to work on newer OS.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s