Password Info

PowerShell Help
1

How can I change this script to get all domain users password info. Here is the script I used but he only ask for a SamAccount for one user.

<#
.SYNOPSIS
Determine last time user set their password
.DESCRIPTION
Shows password max age, if expired, and last date pw was changed.
.NOTES
Author: George Jones
.LINK

.PARAMETER SAMAccountName
SAMAccountName for the user in question.
.EXAMPLE
.\pw-last-set.ps1 -SAMAccountName some.user
#>

param (
[parameter(Mandatory=$true, HelpMessage=“SAMAccountName for user”)]$SAMAccountName
)

$root = [ADSI]‘’
$searcher = new-object System.DirectoryServices.DirectorySearcher($root)
$searcher.filter = “(&(objectClass=user)(sAMAccountName= $SAMAccountName))”
$user = $searcher.findall()

$User = [ADSI]$user[0].path

get domain password policy (max pw age)

$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]“LDAP://$D”
$MPA = $Domain.maxPwdAge.Value

get Int64 (100-nanosecond intervals).

$lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)

get days

$MaxPwdAge = -$lngMaxPwdAge/(600000000 * 1440)
"Domain Max Password Age (days): " + ‘{0:n3}’ -f $MaxPwdAge

check if password can expire or not

$UAC = $User.userAccountControl
$blnPwdExpires = -not (($UAC.Item(0) -band 64) -or ($UAC.Item(0) -band 65536))
“Can Password Expire?: $blnPwdExpires”

when was pw last set?

$PLS = $User.pwdLastSet.Value

convert to int64

$lngValue = $User.ConvertLargeIntegerToInt64($PLS)

convert to ad date

$Date = [DateTime]$lngValue
if ($Date -eq 0) {
$PwdLastSet = “<Never>”
}
else {
$PwdLastSet = $Date.AddYears(1600).ToLocalTime()
}
“Password Last Set (local time): $PwdLastSet”

is the password expired?

$blnExpired = $False
$Now = Get-Date
if ($blnPwdExpires) {
if ($Date -eq 0) {
$blnExpired = $True
}
else
{
if ($PwdLastSet.AddDays($MaxPwdAge) -le $Now) {
$blnExpired = $True
}
}
}

“Password Expired? $blnExpired”

2

You’d need to get rid of the Param block (or at least make the $SamAccountName parameter optional, defaulting to ‘*’), potentially modify $searcher.Filter (if you’re not going to filter on samAccountName at all), and modify the rest of the code to loop over the collection returned by $searcher.FindAll(), instead of only outputting information for a single record at index 0.

I would also recommend constructing objects (which can then be formatted by Format-Table or Format-List), instead of outputting a bunch of strings (such as “Password Expired? $blnExpired” ). You’d need to include a property in each object indicating which user account the information refers to.

3

I am new to poweshell scripting like this. Could you give more details on how this script should look? Thanks