AD Password Expiration tracking

by GregSmith at 2013-02-26 12:15:58

I found and am trying to use this bit of code to list AD users who are approaching their password expiration date. I liked this code because I did not have to hardcode the domain name. Now it ocurrs to me that I probably am not using it correctly as the math is not giving the expected numbers…

I changed my password yesterday but still show in the list generated because, for me only, this is whats returned:
9/18/2012 7:09:03 AM
Greg Smith

The days calculations is correct, based on that date, but where did that date come from ???

$MaxPasswordAge = 30
$userCount = 0
$adsiSearcher = new-object DirectoryServices.DirectorySearcher(“LDAP://rootdse”)
$adsiSearcher.filter = “objectCategory=user”
$adsiSearcher.findall() |
Foreach-Object -ErrorAction “silentlycontinue” <br>-Begin { &quot;The following users need to set their password&quot; }
-Process <br>{ <br> $pwdChanged = (&#91;adsi&#93;$_&#46;path)&#46;psbase&#46;InvokeGet(&quot;PasswordLastChanged&quot;)<br> Write-Host $pwdChanged<br> write-host ((get-date) - $pwdChanged)&#46;days<br> If( ((get-date) - $pwdChanged)&#46;days -ge $MaxPasswordAge)<br> { <br> (&#91;adsi&#93;$_&#46;path)&#46;name<br> $userCount ++<br> } #end if date<br>}
-end { “A total of $userCount users” }
by DonJ at 2013-02-26 12:35:42
That attribute is a low-priority replication item. It’s possible that you changed your password on one DC, but queried the attribute from another one that hadn’t been informed of the change in that attribute yet.

Also keep in mind that PasswordLastChanged itself isn’t replicated at all; it’s derived from pwdLastSet, which itself is low-pri.