I’m in a youth cyber security competition known as Cyber Patriot, and within the program I’m my teams captain this year. One of the biggest roles as team Captain is making Scripts and Checklists for my team. I have made the biggest powershell script in my teams history, but I’ve been struggling with debugging it.i am down to one command, that has stumped my entire team. This is a command that I wrote myself (we don’t talk about how long it took) however when I went to test it within the script on one of our training VMs I learned that in our windows VMs we will complete with for points, Active Directory isn’t installed. So what i would like help with is how do I either convert this to not use active directory or find a new command that does the same thing without Active Directory. Remember, your helping today’s youth, but tomorrows leaders.
Here’s the command:

Replace 'OU=Sales,DC=domain,DC=com' with your OU path

Get-ADUser -Filter * -SearchBase "OU=Sales,DC=domain,DC=com" |
Set-ADUser -ChangePasswordAtLogon $true
(Ik the pipe isn’t correct the way it pasted in)

Please ping me if you have any fixes/questions/suggestions.

you mean the ActiveDirectory module is not installed right?

Why not just install it? Exactly how depends a bit on the operating system you're running on, but it's just a feature / component.

Otherwise you'd have to use ADSI.

$searcher = [ADSISearch]::new(
    [ADSI]'LDAP://OU=Sales,DC=domain,DC=com',
    '(&(objectClass=user)(objectCategory=person))'
)
foreach ($result in $searcher.FindAll()) {
    $directoryEntry = $result.GetDirectoryEntry()
    $directoryEntry.Put('pwdLastSet', 0)
    $directoryEntry.SetInfo()
}

Another option is to call .netframework for the commands instead of Get-ADUser you can use
[System.DirectoryServices.ActiveDirectory]::GetADUser
You would need to read this and use trial and error to convert to powershell. This does not require the module to be installed. I am assuming that you are running Windows 10\11 Pro, Edu or Enterprise and not Home.
https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory?view=netframework-4.8

Thank you, I’ll look into that. It’s windows 11 enterprise, windows server 2019, and server 2022.

There's a loft of ::GetADUser in the suggestion above doesn't exist. So you know, you can use the namespace, but you've gotta use the right methods and types.

Yeah, That was a typo. The real deal is using a DirecotrySearcher and writing a small function to use it and return a value. If you cannot install AD module or use ADSI that is your best bet bit it is a small pain until you get your working custom functions and modules around it. may not be the best solution.

I’ll look into that, but, it’s a cyber security competition and you receive/lose points from almost everything you do. So that could be a cyber security risk and takes up a lot of time within our 4 hour competition window, but I’ll look into it.

then ADSI is the way to go. It's native and has been supported since PowerShell 1. It's the smallest change to achieve that small goal of requesting a password change

Ok, would I be able to splice in the example command you provided into my script, or do I need to somehow combine it into my preexisting command? Or is there another step i have use for ADSI?

It replaces your Get-ADUser and Set-ADUser commands

there are no other steps. ADSI is native for the Windows platform, you can just use it without any extra consideration

That sounds perfect for us, thank you very much! So I’ll add the powershell that you provided, do I need to change my existing script?

I don't know, I haven't seen your original script

Ok. But to clarify, do I need to change the command that I sent in my original message?

You have to remove them, youu can't use those if you don't have the AD module.