Get-ADUser information for multiple criteria

I was given the task to get AD user account information for the following: User must change password at next logon, for Enabled only accounts, and the modified dates of those accounts for the last 90 days. I have used this script

Import-Module ActiveDirectory
Get-ADUser -LDAPFilter “(pwdLastSet=0)” | Select SamAccountName,distinguishedName |
Export-CSV

for retrieving the User must change password at next logon, but then I have to use something like this

Get-ADUser -Filter {Enabled -eq $True} -Properties * | Sort-Object Name | Select-Object Name,DistinguishedName,Enabled,PasswordLastSet,Modified | Export-Csv

to get other criteria. How can I get all of the criteria into one script producing a single csv?

The filter can be updated to handle multiple items:

Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0} –Properties Name,DistinguishedName,Enabled,PasswordLastSet,Modified

Keep in mind that -Properties * returns ALL properties which is a much bigger query than just getting the properties you need. Above is not tested, but should be something like that.

I will give it a try. Thanks for your assistance!

Back in March I couldn’t get the suggestion you gave me to work and, obviously, I did not write it correctly. My PS script has to meet the following criteria:

  1. Enabled accounts
  2. “User must change password at next logon” setting still enabled
  3. Passwords last changed (before?) after 11/26/2020
  4. Against two different, but specific, OUs

Get-ADUser -Searchbase “OU=xxxxxx,DC=xxxxxx,DC=xxxxx” -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -lt 190} –Properties Name,DistinguishedName,Enabled,PasswordLastSet,Modified | Sort-Object Name | Select-Object Name,DistinguishedName,Enabled,PasswordLastSet,Modified | Export-CSV “myfilelocation.csv”

I also tried this with the PasswordLastSet -gt 0. This change actually gave me values verses -lt 190 that did not. However, spot checking the export revealed that these accounts did not have the User must change password at next logon set. What am I botching up?