List AD user with Password Never Expires flag and if a member of Domain Admins

Dear all,
I’m trying to create a simple script that generate a cvs file contains list of
AD users with Password Never Expires flag turned on and if a member of Domain Admins group.

Like this:
name,samaccountname,PasswordNeverExpires,mail,IsDomainAdmin
John,JOHRAM,True,john@mydomain.com.True

The command below work fine but is incomplete because the domain admins group membership information is missing :
Get-ADUser -server “MyDomain.com” -filter {(PasswordNeverExpires -eq “TRUE”) -and (Enabled -eq $true )} -Properties PasswordNeverExpires | select name,samaccountname,PasswordNeverExpires,mail | Where-Object {$_.PasswordNeverExpires -like “True”} |Export-Csv -Path “c:\temp\Output.csv” -NoTypeInformation }

How can i modify it to get them?

Thank you all.
Have a nice day and have a good weekend
Andrea

Hi, welcome back :wave:

Firstly, when posting code in the forum, please can you use the preformatted text </> button. It really helps us with readability, and copying and pasting your code (we don’t have to faff about replacing curly quote marks to get things working).

Please clarify what you’re trying to do.
Do you want every user whose password doesn’t expire in the CSV and a note if they’re a domain admin as well or are you just trying to find domain admins whose password does not expire?

Dear, thanks for your reply.
Sorry… I’ll be more careful next time I publish some code!

I’m trying to get the list of all users whose Password Never exipre and if the user is member of the Domain Admins group

The DomainAdminMember column will have the values True or False

Like this:
name,samaccountname,PasswordNeverExpires,mail,IsDomainAdmin
John,JOHRAM,True,john@mydomain.com,True
Chuck,CHUNOR,True,Chuck@mydomain.com,False

Many thanks and sorry for my english !

Best regards
Andrea

No problem, and please don’t apologise for your English, it’s excellent.

I would get the list of domain admins first, and then check if the user is in the list.

$domainAdmins = Get-ADGroupMember 'Domain Admins' | Select-Object -ExpandProperty distinguishedName

Get-AdUser -Filter {(PasswordNeverExpires -eq $True) -and (Enabled -eq $True)} -Properties PasswordNeverExpires, Mail |
    Select-Object name,sAMAccountName,passwordNeverExpires,mail,@{l='IsDomainAdmin';e={$domainAdmins -contains $_.distinguishedName}} | 
        Export-CSV -Path C:\Temp\output.csv -NoTypeInformation
1 Like

Dear Matt, you are the king :smiley:
Many thanks!

Where can I find the explanation of your code?
It is really sharp and elegant!

I changed your code a bit to get the list of users in each domain in the forest.
I insert it below. Maybe someday someone needed it.

import-module activedirectory
$domains = (Get-ADForest).domains
$Members = foreach ($domain in $domains) {
	$domainAdmins = Get-ADGroupMember 'Domain Admins' | Select-Object -ExpandProperty distinguishedName

	Get-AdUser -server $domain -Filter {(PasswordNeverExpires -eq $True) -and (Enabled -eq $True)} -Properties PasswordNeverExpires, Mail |
    Select-Object name,sAMAccountName,passwordNeverExpires,mail,@{l='IsDomainAdmin';e={$domainAdmins -contains $_.distinguishedName}} | Export-CSV -Path c:\temp\Never_Expire-$domain.csv -NoTypeInformation
}

Many thanks and enjoy the rest of the day.
Andrea

You’re welcome, Andrea. Happy to help.

Thank you for sharing your final solution.

Regarding the explanation of the code, for the cmdlets themselves, just use Get-Help or view the online help files.

The one bit you might not have seen before is the calculated property. If you Google the term, you’ll find good examples on line.

Select-Object @{l='IsDomainAdmin';e={$domainAdmins -contains $_.distinguishedName}}

Essentially, what we do is create a label or name for the property (l is short for label, you can also use label, n, or name) then we create an expression (the e part) that calculates a value for that property.

In this case, that value is true or false depending on whether the collection (array) of distinguised names we collected at the beginning of the script contains (-contains) the distinguished name of the current user.

1 Like

Dear Matt,
thanks for your availability and your explanations.
You helped me a lot!
I’m sorry because it’s virtual but I’m happy to offer you a coffee!

Good day
Andrea