Friday, April 29, 2011

PowerShell: Set AD User No Expiration

In specified OUs, this script sets all user accounts to not expire account or password.

#Array for OUs
$arrOUs = "LDAP://OU=campusUsers,DC=MYDOMAIN,DC=EDU",
"LDAP://OU=campusStudents,DC=MYDOMAIN,DC=EDU"

$i = 0

#Run Against All Users in Specified OU
foreach ($ou in $arrOUs)
{

$ADsPath = [ADSI]$ou
$Search = New-Object DirectoryServices.DirectorySearcher($ADsPath)
$Search.filter = "(objectClass=user)"
$Search.PageSize = 900
$Search.SearchScope = "SubTree"
$results = $Search.Findall()

foreach($result in $results)
{
#Retrieve User Account
$objUser = $result.GetDirectoryEntry()

#Set Account to Not Expire
$objUser.accountExpires = 0
$objUser.setInfo()

#Pull Password Settings and Convert to Int
$crtUAC = [int]($objUser.userAccountControl.ToString())

#If Account is Enabled and\or Requiring Password Change at Next Login
#Set Password Doesn't Expire
if (($crtUAC -eq 512) -or ($crtUAC -eq 544))
{
$objUser.userAccountControl = 66048
$objUser.setInfo()
}
#Same Thing for Disabled Account; However Leave Disabled
elseif ($crtUAC -eq 514)
{
$objUser.userAccountControl = 66050
$objUser.setInfo()
}

$i = $i + 1

write-host $i

}

}

Write-Host 'All Done'

No comments: