Active Directory – Change User’s Password – Resolution

 

Preface

In a previous post, I spoke of a SMK ( Shaking My Head ) moment I was having.

I couldn’t change a password assigned to a newly created Service Account.

The post is here.

 

 

Problem Identification

Thankfully, I have friends in high places or at least friends who are not so dim.

As Ron was leaving for the day, I said to him you gonna hate me for bothering you.

But, what is with my inability to change my password.

He said it is a Group Policy thing.

I said I checked the Group Policy (GP) and I did not see that.

 

Group Policy Report

Code

Using gpresult we can generate Group Policy Reports.

Generate HTML Output

Script


set "_user=LAB\sbc"
If not exist "d:\temp" md "d:\temp"
gpresult /USER %_user% /F /H d:\temp\grResultUser.html

 

Output

accountandpasswordpolicies

Generate Textual Output

Script


set "_user=LAB\svcSQL"

gpresult /V /USER %_user% | more

Output

rsop-minimumpasswordage

Explanation

Underneath \Policies\Windows Settings \ Account Policies / Password Policy

There  goes a Winning GPO stating “Minimum password age” is 5 days.

 

Conclusion

I still did not get it, and so Ron had to explain it.

A password has to be at least 5 days old, prior to anyone having the ability to change it.

The password was only created yesterday and so I have to a wait a few more days.

 

MSFT’s Recommendation

Cristian Dobre

Link

cristiandobre

 

Confirm Our Last Password Date

Let us confirm our last password date

Code – Credit

As always, I can not write this code.

Stealing this time from Homework

The specific post is titled “How to get the last password change for a user in Active Directory” and it is credited to Alessandro Tani.

It is available here.

Code


Import-Module ActiveDirectory

$ADUser="svcDBHRDB"

$formatDate="yyyy-MM-dd HH:mm"
$now=Get-Date -format $formatDate

"Current Date & TIme is {0}" -f $now

Get-ADuser $ADUser -properties PasswordLastSet | Format-List

 

Output

getaduseroutput-20161201-0838am

Errors

Error – Import-Module : The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory.

Please read this QA:

Import-Module : The specified module ‘activedirectory’ was not loaded because no valid module file was found in any module directory
Link

 

References

  1. Security Policy Settings Reference > Account Policies > Password Policy > Minimum password age
    Link
  2. Alessandro Tani
    • How to get the last password change for a user in Active Directory
      Link
  3. Nirmal Sharma
    • When was the Last Password Changed for a User Account in Active Directory
      Link

 

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s