Hi All,
I am a complete newbie with regards to Powershell, This will be my 1st attempt, not even sure where to actually start…Sorry.
I am trying to create a simple script that lists all the users on a domain, status, expiry date, account locked?..etc.
Any help would be appreciated
Regards
John
You should research the Active Directory cmdlets, in particular Get-ADUser.
https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps
You can use the Export-CSV cmdlet to send the data to a CSV file.
Get-Help Export-Csv -Full for usage and examples.
Hi,
So i managed to find some stuff on the internet, it gives me an output, which looks correct. Script Below
<p style=“margin: 0in; font-family: Menlo; font-size: 9.75pt; color: #333333;”>Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}</p>
Some of the accounts, primarily my team all have proper expiry dates, but the other team that is in this domain all their password expiry dates are 01/01/1601. This obviously isn’t correct.
These accounts are also controlled by the AD Password policy and I have had to change their password because they have expired.
The only reason i can think their expiry dates are invalid is they don’t directly log into the domain via a desktop or server. Their domain accounts are purely to give them authentication when they log into a SQL instance via SSMS which has domain authentication.
Anyone seen this before? Also, could someone give me some direction on how to tweak the attached script to give me account locked true/false?
Thanks
John
Most likely their PasswordLastSet (pwdLastSet) attribute is NULL. They were probably given passwords and never forced to change them at next logon.
If that’s the case, msDS-UserPasswordExpiryTimeComputed, will return 0. 0 converts to the epoch date 01/01/1601.
You can get the locked out status by adding LockedOut to the list of properties you’re specifying when running the Get-ADUser command. You will also need to add it to the Select-Object command to see it in the output.