当前位置：首页 > news >正文

AD域控批量配置域用户下次登录需要修改密码

news 2026/3/27 1:25:25

##### 读取csv文件批量设置域用户下次登录需要修改密码

Import-Module ActiveDirectory# 配置参数(SamAccountName参数为用户账号所在的列）
$CSVFile = "C:\temp\All_AD_Users.csv"
$UsernameColumn = "SamAccountName"# 读取CSV文件
$users = Import-Csv -Path $CSVFile -Encoding UTF8Write-Host "开始处理 $($users.Count) 个用户..." -ForegroundColor Yellow$successCount = 0
$failCount = 0foreach ($user in $users) {$username = $user.$UsernameColumnif (-not [string]::IsNullOrWhiteSpace($username)) {try {Set-ADUser -Identity $username -ChangePasswordAtLogon $trueWrite-Host "  成功: $username" -ForegroundColor Green$successCount++}catch {Write-Host "  失败: $username - $_" -ForegroundColor Red$failCount++}}
}Write-Host "`n处理完成！" -ForegroundColor Cyan
Write-Host "成功: $successCount" -ForegroundColor Green
Write-Host "失败: $failCount" -ForegroundColor Red

##### 批量设置所有域用户下次登录需要修改密码【带白名单模式，白名单中的用户例外，支持*通配符】

#####批量设置所有域用户下次登录需要修改密码【带白名单模式，白名单中的用户例外】
Import-Module ActiveDirectory# 排除特定账户（如管理员、服务账户）使用通配符
$ExcludedPatterns = @("Administrator", "Guest", "krbtgt", "svc_*", "*admin*", "test*", "boss*")# 获取所有启用用户
$AllUsers = Get-ADUser -Filter {Enabled -eq $true} -Properties SamAccountName, PasswordNeverExpires# 初始化数组
$UsersToSet = @()
$UsersNotToSet = @()# 分类用户
foreach ($User in $AllUsers) {$exclude = $false# 检查是否匹配排除模式foreach ($pattern in $ExcludedPatterns) {if ($User.SamAccountName -like $pattern) {$exclude = $truebreak}}# 分类用户if ($exclude -or $User.PasswordNeverExpires -eq $true) {$reason = if ($exclude) { "排除模式" } else { "密码永不过期" }$UsersNotToSet += [PSCustomObject]@{SamAccountName = $User.SamAccountNameReason = $reason}} else {$UsersToSet += $User}
}# 批量设置需要修改密码的用户
$successCount = 0
$failCount = 0Write-Host "`n开始设置需要修改密码的用户..." -ForegroundColor Yellow
foreach ($User in $UsersToSet) {try {Set-ADUser -Identity $User.SamAccountName -ChangePasswordAtLogon $trueWrite-Host "✓ 成功设置: $($User.SamAccountName)" -ForegroundColor Green$successCount++}catch {Write-Host "✗ 失败: $($User.SamAccountName) - $_" -ForegroundColor Red$failCount++# 将失败的用户添加到不设置列表中$UsersNotToSet += [PSCustomObject]@{SamAccountName = $User.SamAccountNameReason = "设置失败: $_"}}
}# 统计并显示不需要修改密码的用户
Write-Host "`n" + ("-" * 50) -ForegroundColor Gray
Write-Host "不需要修改密码的用户列表（共 $($UsersNotToSet.Count) 个）:" -ForegroundColor Magentaif ($UsersNotToSet.Count -gt 0) {# 按用户名排序显示$UsersNotToSet | Sort-Object SamAccountName | ForEach-Object {Write-Host "  $($_.SamAccountName.PadRight(25)) - $($_.Reason)" -ForegroundColor Magenta}# 按原因分组统计Write-Host "`n按原因分组统计:" -ForegroundColor Magenta$UsersNotToSet | Group-Object Reason | ForEach-Object {Write-Host "  $($_.Name): $($_.Count) 个用户" -ForegroundColor Magenta}
} else {Write-Host "  没有不需要修改密码的用户" -ForegroundColor Magenta
}# 显示最终统计信息
Write-Host "`n" + ("=" * 50) -ForegroundColor Cyan
Write-Host "执行结果统计:" -ForegroundColor Cyan
Write-Host "  需要设置的用户总数: $($UsersToSet.Count)" -ForegroundColor White
Write-Host "  成功设置的用户数: $successCount" -ForegroundColor Green
Write-Host "  设置失败的用户数: $failCount" -ForegroundColor Red
Write-Host "  不需要设置的用户数: $($UsersNotToSet.Count)" -ForegroundColor Magenta
Write-Host "  总用户数（启用）: $($AllUsers.Count)" -ForegroundColor White
Write-Host "=" * 50 -ForegroundColor Cyan# 可选：将结果导出到CSV文件
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$outputFile = "AD用户密码设置报告_$timestamp.csv"$report = @()
foreach ($user in $UsersToSet) {$status = if ($user.SamAccountName -in ($UsersNotToSet | Where-Object { $_.Reason -like "设置失败*" }).SamAccountName) {"失败"} else {"成功"}$report += [PSCustomObject]@{用户名 = $user.SamAccountName状态 = $status类别 = "需要设置"备注 = if ($status -eq "失败") { ($UsersNotToSet | Where-Object { $_.SamAccountName -eq $user.SamAccountName }).Reason } else { "已设置下次登录修改密码" }}
}foreach ($user in $UsersNotToSet | Where-Object { $_.Reason -notlike "设置失败*" }) {$report += [PSCustomObject]@{用户名 = $user.SamAccountName状态 = "未设置"类别 = "不需要设置"备注 = $user.Reason}
}$report | Sort-Object 用户名 | Export-Csv -Path $outputFile -NoTypeInformation -Encoding UTF8
Write-Host "`n详细报告已保存到: $outputFile" -ForegroundColor Cyan

##### 批量取消所有用户下次登录需要修改密码

# 导入AD模块
Import-Module ActiveDirectory# 颜色定义
$SuccessColor = "Green"
$ErrorColor = "Red"
$InfoColor = "Cyan"
$WarningColor = "Yellow"
$ProgressColor = "Gray"# 获取所有启用用户
$users = Get-ADUser -Filter {Enabled -eq $true}Write-Host "`n开始批量取消设置'下次登录需修改密码'标志..." -ForegroundColor $WarningColor
Write-Host "预计处理 $($users.Count) 个用户" -ForegroundColor $InfoColor
Write-Host ("-" * 50) -ForegroundColor $ProgressColor$successCount = 0
$failCount = 0for ($i = 0; $i -lt $users.Count; $i++) {$user = $users[$i]$progress = [math]::Round((($i + 1) / $users.Count) * 100, 1) try {# 同时取消两种设置方式Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $falseSet-ADUser -Identity $user.SamAccountName -Replace @{pwdLastSet = -1}# 成功 - 绿色显示Write-Host "  ✓ $($user.SamAccountName)" -ForegroundColor $SuccessColor$successCount++}catch {# 失败 - 红色显示Write-Host "  ✗ $($user.SamAccountName) - $_" -ForegroundColor $ErrorColor$failCount++}
}# 使用不同颜色显示最终统计
Write-Host "`n" + ("=" * 50) -ForegroundColor White
Write-Host "处理完成！" -ForegroundColor White
Write-Host ("=" * 50) -ForegroundColor White
Write-Host "成功: $successCount" -ForegroundColor $SuccessColor
Write-Host "失败: $failCount" -ForegroundColor $ErrorColor
Write-Host "总计: $($users.Count)" -ForegroundColor $InfoColor