All users Account Password and when password were changed.

I get a lil twisted… I created this script below:

Import-Module ActiveDirectory
Get-ADUser ‘a87114’ -properties PasswordLastSet, whenCreated | Format-List

$Result = @()
$Users = Get-ADUser a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires
ForEach ($User in $Users)
{ $Result += New-Object PSObject -Property @{
‘Last Name’ = $User.sn
‘First Name’ = $User.GivenName
UserName = $User.SamAccountName

}

}
$Result = $Result | Select ‘Last Name’,‘First Name’,UserName

#Produce a CSV
$Result | Export-Csv “c:\temp\passwordexpirationdate11.csv”

The above display this:

DistinguishedName : CN=A87114,OU=Users,OU=Atlanta-AOC,OU=US,OU=NA,DC=na,DC=ko,DC=com
Enabled : True
GivenName : George
Name : A87114
ObjectClass : user
ObjectGUID : 5275b59f-509f-4418-b615-4a338a99b2d2
PasswordLastSet : 11/26/2013 11:48:01 AM
SamAccountName : A87114
SID : S-1-5-21-1174801143-910442134-930774774-464530
Surname : Jones
UserPrincipalName : a87114@na.ko.com
whenCreated : 8/22/2013 12:03:19 PM

Do you think there’s away to ouput when the password was set and check to see when it was last changed?

I am trying to get a variable like

$date = date
$dataPwdYear = last 4 of $datepwd
$datepwdMonth = left ($datepwd, “/”)
$datePwdDay = mid ($datepwd, “/”, next 2 character)

then
$dateCreate

  • is a minus

    If (year - year) = 0 then
    If (month-month) = 0 then
    If (day-day) = 0 then
    If (AM - PM) 2 then
    If (hour - hour) <2 then
    Else “Error” + output

The goal here is to see if powershell can output when an account password was created and when the account password was changed.

Help

So, you can use the HTML PRE tag to format your code. It’s a little harder to follow when you don’t do that.

I’m a little confused on why your’e doing what you’re doing.

Import-Module ActiveDirectory
Get-ADUser ‘a87114′ -properties PasswordLastSet, whenCreated | Format-List

The above doesn’t do anything useful, right? Just creates a list. This is what you’re seeing in your output, but it’s just going to the screen. This has nothing to do with creating a CSV. Also, Format-List won’t always display every available property. You have to do “Format-List -Property *” if you want to see everything.

$Result = @()
$Users = Get-ADUser a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires

After the above, you’ve got a single user in $Users, and it should have all the properties you want, including password last set. Keep in mind that a lot of attributes, like passwordlastset, do not replicate instantly. So you are not ALWAYS getting a 100% accurate value by only querying one domain controller. Just be aware that there is some room for error with some of these attributes.

ForEach ($User in $Users)
{	$Result += New-Object PSObject -Property @{
‘Last Name’ = $User.sn
‘First Name’ = $User.GivenName
UserName = $User.SamAccountName

}
}

I don’t understand what the above is doing. You’re keeping the user’s Last name, first name, and username. You already have that information in $Users. You are not ADDING information, here. You’re taking what’s in $Users, and only keeping three things, and putting those three things into $Result.

$Result = $Result | Select ‘Last Name’,'First Name’,UserName

I don’t understand the above, either. $Result contains objects that only have a last name, first name, and user name. There’s no need to select those properties.

#Produce a CSV
$Result | Export-Csv “c:\temp\passwordexpirationdate11.csv”

Sure, the above is only providing last name, first name, and user name, because that’s all you put into $Result.

If you just want everything in a CSV file:

Get-ADUser a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires | Export-CSV whatever.csv

Right? So I guess I’m confused about what you’re after. If we could maybe start with that last line above, and you tell me what it isn’t doing for you, I can help you get it to do what you need.

Hello Don

My manager ask me if Powershell could output when a user account password was created and if the password to the account was changed when the user or users logged in for the first time. We have a lot of users account that we have to reset passwords right after the accounts have been created within minutes. I have to do this pre each DCs or domain. We have over 50,000 plus users across the world… he key is date and time. I hope this helps.

Thank you sir

Hello Don

I work for Coca-Cola and my manager ask me if Powershell could output when a user account password was created and if the password to the account was changed when the user or users logged in for the first time. We have a lot of users account that we have to reset passwords right after the accounts have been created within minutes. I have to do this pre each DCs or domain. We have over 50,000 plus users across the world… The key is date and time. I hope this helps.

Thank you sir

Yes. It can.

Get-ADUser -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires | Export-CSV whatever.csv

For the user account a87114, does the above command do what you want?

Don

It displayed the same thing I had already did. What I am trying to get is the difference in the time the account and account password was created and when password was first changed.

Ah, okay.

So, at the end of the Select-Object property list, you would add something like:

…whenCreated,PasswordLastSet,PasswordNeverExpires,@{n='Difference';e={ $_.PasswordLastSet - $_.WhenCreated  }}

That’ll give you an additional column with the difference. You can obviously play with the expression in {} to get a specific value (days, hours, whatever). Although that won’t give you when the password FIRST changed, it’ll give you when the password LAST changed.

Is this correct? Get-ADUser -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires,@{n=‘Difference’;e={ $.PasswordLastSet - $.WhenCreated }} | Export-CSV c:\temp\test.csv

I just got an error message.

The term ‘Get-ADUser’ is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:11

  • Get-ADUser <<<< -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires,@{n=‘Difference’;e={ $.PasswordLastSet - $.WhenCreated }} | Export-CSV c:\temp\whateve
    r.csv
    • CategoryInfo : ObjectNotFound: (Get-ADUser:String) , CommandNotFoundException
    • FullyQualifiedErrorId : CommandNotFoundException

That’d be because you either (a) don’t have the ActiveDirectory module loaded or (b) it doesn’t exist on the machine you’re using. The problem is not with your syntax, it’s that the Get-ADUser command wasn’t found.

Since you were using Get-ADUser in your original example, I had assumed you had access to the ActiveDirectory module.

For that error message, you’re either running PowerShell 2.0 and need to add an “Import-Module ActiveDirectory” command earlier in the script, or you’re running PowerShell 3.0 or later on a computer that doesn’t have the RSAT feature installed.

Also, I don’t think you can do constructed properties in the Get-ADUser command like that, though I haven’t tried it myself. This would work, though:

Get-ADUser -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires |
Select-Object -Property *, @{ n = 'Difference'; e = { $_.PasswordLastSet – $_.WhenCreated } } |
Export-CSV c:\temp\test.csv

Keep in mind that your “Difference” property is going to be a timespan object, which looks like this when converted to a string in a CSV: 1674.18:43:52.2694062 . That’s <days>.<hours>:<Minutes>:<Seconds>.<Fraction of Second>

Correct, you can’t do those right in the property list, sorry - I was reading too fast and didn’t realize we’d not just done a Select. Thanks, Dave.

Don

That works. I was able to get an output of 95.23:44:42.1869997 that’s <days>.<hours>:<Minutes>:<Seconds>.<Fraction of Second>.
Is there away to converted the 95.23:44:42.1869997 into a actual date and time?

Thank you

Well, no… the difference between Date A and Date B isn’t a date, it’s some number of hours-days-minutes-etc.

Today minus yesterday is one day… it isn’t a date and time.

If { $.x - $.y } is a timespan, then { ($.x - $.y).Days } would be the number of days between those two datetimes.