Is it possible to block a user account if the user does not change his password after 24 hours from the moment the administrator restarts the user's password?
CodePudding user response:
The following solution is not bulletproof as it relies on the whenChanged attribute that might be changed by any other reason (something else changed on the object).
It is a PowerShell script that could be executed multiple times a day to be close to the 24 hours password change timeframe. It will get all enabled users wich have to change their password and where the user object has not been modified within 1 day.
$MaxLastChanged = $(Get-Date).AddDays(-1)
$Filter = { (pwdLastSet -eq 0) -and (enabled -eq "true") -and (whencreated -lt $MaxLastChanged) }
$AllUsersToGetDisabled = Get-ADUser -Filter $Filter -Properties WhenCreated
foreach ($User in $AllUsersToGetDisabled) {
Disable-ADAccount $User
}
Create a scheduled task for it and you will be fine.