Password age script

by Peeps3240 at 2012-09-11 05:07:35

as an add on to my password project i have this script running at 8am every morning through taskmanager. is there a way i can alter the script to only generate those that fall under the cn=user. there are some admin accounts in there that while this wont generally affect the process i would just like to trim out the fat so to speak

my script looks like this

[script=powershell]C:\scripts\password.ps1 | Format-Table -Property * -Autosize | Out-String -Width 4096 | Out-File C]
by poshoholic at 2012-09-11 05:35:36
Yes, that should be easy to do. You can use Where-Object either in your password.ps1 file directly to filter out the entries you don’t want, or you can use Where-Object in the pipeline between the invocation of password.ps1 and the Format-Table cmdlet. I forget what properties you are working with, but let’s assume that your script returns objects that have a property called container that contains a DN of the container you want. In that case it might look something like this:

C:\scripts\password.ps1 | Where-Object {$.Container -like 'cn=user,*'} | Format-Table -Property * -Autosize | Out-String -Width 4096 | Out-File C]
If you don’t have the container in a separate property, but you do have DN in a property, then it might look like this instead:

C:\scripts\password.ps1 | Where-Object {$
.DN -like ',cn=user,'} | Format-Table -Property * -Autosize | Out-String -Width 4096 | Out-File C]
If there are a lot of these, you may also want to consider server-side filtering, which can often be done using the cmdlets used to retrieve the objects you are reporting on via a Filter parameter or some other parameter to indicate exactly what objects you want to return. In this case though it sounds like you don’t have many objects you want to filter out, in which case client-side filtering is probably just fine.
by Peeps3240 at 2012-09-11 06:42:00
ok, i think i see what i need to do, instead of user

is there a way to only bring back the information if there is a email address associated?
by poshoholic at 2012-09-11 06:55:19
Yes, you can do that. I just reviewed your original script again. You want something like this:

if ($mail = $.properties.item("mail")) {
$info = 1 | Select-Object Name, Email, Age, LastSet
$info.Name = $account.SamAccountName[0]
$info.Email = $mail
$info.Age = $age
$info.LastSet = $pwdset
$info
}

That will only create and return the into object if the mail variable is not null or empty.
by Peeps3240 at 2012-09-11 07:19:58
$filter = ‘(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=65536)(!userAccountControl:1.2.840.113556.1.4.803:=2))’

$root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=Ardex;DC=COM")
$searcher = New-Object System.DirectoryServices.DirectorySearcher $filter
$SearchRoot = $root.defaultNamingContext
$searcher.SearchRoot = "LDAP://CN=Users,$SearchRoot"
$searcher.SearchScope = ‘SubTree’
$searcher.SizeLimit = 0
$searcher.PageSize = 1000
$searcher.FindAll() | Foreach-Object {
$account = $
.GetDirectoryEntry()
$pwdset = [datetime]::fromfiletime($.properties.item("pwdLastSet")[0])
$age = (New-TimeSpan $pwdset).Days
if ($mail = $
.properties.item("mail")) {
$info = 1 | Select-Object Name, Email, Age, LastSet
$info.Name = $account.SamAccountName[0]
$info.Email = $mail
$info.Age = $age
$info.LastSet = $pwdset
$info
}
}


this still brings back accounts with blank email addresses. i have played around with it a bit but im sure i am just overlooking something simple.

on a related note, i do have a dummies book coming in so i can learn what i need to do. so far i get some of the commands (i am mostly helpdesk) so it is starting to make sense to me a little at a time. i do appreciate your patience with me and my questions
by coderaven at 2012-09-11 07:32:17
The easiest approach I can think of is to not get users without an email in your filter

[quote="Peeps3240"]$filter = '(&(objectCategory=person)(objectClass=user)(!userAccountControl]

$filter = ‘(&(objectCategory=person)(objectClass=user)(!userAccountControl](mail=*)[/b])’

Now you don’t have to worry about trying to filter it out in your loop.
by Peeps3240 at 2012-09-11 07:43:36
many many thanks.

that worked