How can I randomize or stagger password expiration through Active Directory?

Question

We are about to implement a new password policy that will require users to change their password every six months. We also need every user to change their password this week. I'd rather not create a biannual password-change-frenzy, and would prefer to either randomize or stagger the password expiration date.

I receive an error when attempting to modify the pwdLastSet property in ADSI edit. It seems the property may be read-only. If I can write to it, I'm not sure if modifying the pwdLastSet property directly will have any ill effects.

I considered implementing multiple password policies, but from what I read, multiple password policies are not supported at DFL 2003, which would require an upgrade (though it may make for a half-decent excuse to finally upgrade.)

How can I avoid a week long company wide password change that occurs every six months when all users require a password change immediately?

Answer 1

off the top of my head pick a random set of users after whatever timeframe you want their existing password to expire then expire their passwords again:

$users = get-aduser -filter * | get-random -count <my number of users>
foreach ($user in $users) {Set-ADUser $user -ChangePasswordAtLogon $true}

Obviously you'd need PowerShell for this example but the same can be done in any scripting language

Answer 2

There are a couple methods available to do this. I haven't had good experiences trying to randomize this programmatically - trying to write anything but a 0 or -1 to the pwdLastSet attribute didn't work for me.

My leaning would be to apply your new password policy and then expire the passwords of a group of users on a weekly basis to spread out the load.

You can use admodify to reset the last modified date. I'd grab a group (I actually imported a list of usernames from a TXT file) and require them to change their password at next login.

I kept a spreadsheet to know which users still needed to be expired.

Two downsides to this approach - you need to run this script several times and the users won't get the full six months use of their first complex password.