Tom’s AD Password Extender (often referred to in administrative circles as Tom’s Password Extender) is a specialized IT utility used by network administrators to manage, track, and selectively defer password expiration dates for Active Directory (AD) user accounts.
To use this utility effectively, you must understand how to leverage its tracking features while handling synchronization anomalies with cloud environments like Azure AD / Entra ID. 1. View and Audit Account Expiration Statuses
The core strength of the utility is its visibility into exact password expiration timelines.
Launch the console using an account with delegated administrative rights over the target Organizational Units (OUs).
Filter by attributes to locate accounts approaching their expiration window.
Verify actual remaining days against standard Fine-Grained Password Policies (FGPP) to ensure the tool is pulling the correct maximum password age. 2. Extend the Password Life Cycle
When an employee requires a temporary extension (e.g., long-term leave or critical project lockouts), use the tool to safely reset the expiration countdown without changing the actual password phrase. Select the user account and trigger the extension feature.
Understand the backend mechanism: The tool effectively manipulates the user’s pwdLastSet attribute.
Avoid “Password Never Expires”: Instead of checking the unsafe “Password never expires” box in Active Directory Users and Computers (ADUC), use the extender to reset the pwdLastSet timestamp to the current date. This keeps the account governed by organizational rotation policies while safely pushing the expiration date back. 3. Handle Azure AD / Microsoft 365 Sync Issues
A common issue when using Tom’s Password Extender in hybrid setups is a synchronization mismatch. You may see that an account has months remaining in the tool, yet the user is forced to change their password when logging into Microsoft 365 or portal.office.com.
Force a Delta Sync: Run a manual delta sync on your Microsoft Entra Connect (formerly Azure AD Connect) server using PowerShell to push the updated pwdLastSet attribute to the cloud immediately: powershell Start-ADSyncSyncCycle -PolicyType Delta Use code with caution.
Verify Cloud Password Writeback: Ensure that Password Writeback is properly enabled in your synchronization settings so local AD updates map cleanly to cloud-based authentications.
Leave a Reply