This statement does not give me any results in my variable. Any ideas what I am doing wrong?
$Exp = Get-ADUser -LDAPfilter {sAMAccountName -eq $Name} -Properties * | Select -ExpandProperty PasswordExpired
This statement does not give me any results in my variable. Any ideas what I am doing wrong?
$Exp = Get-ADUser -LDAPfilter {sAMAccountName -eq $Name} -Properties * | Select -ExpandProperty PasswordExpired
Try ditching the pipe to Select-Object, and see what you get. (Check to see the result when you run $Exp.PasswordExpired ,after making that change ).
Changed to Select-Object and still no results in my $Exp variable after the statement completes. I am not receiving any errors either. Thanks!
$Exp = Get-ADUser -LDAPfilter {sAMAccountName -eq $Name} -Properties * | Select-Object -ExpandProperty PasswordExpired
That’s not what I meant. I just meant to get rid of the call to Select-Object entirely, to make sure you’re getting something back from Get-ADUser. (If there are no objects that match your filter, for example, then you’d get nothing.)
$Exp = Get-ADUser -LDAPfilter {sAMAccountName -eq $Name} -Properties * $Exp.PasswordExpired
The problem is that the LDAP filter you’re using isn’t an LDAP filter
To use an LDAP filter
Get-ADUser -LDAPFilter “(Name=Richard)”
To use a filter
Get-ADUser -Filter {Name -eq ‘Richard’}
You’re using the Filter (PowerShell) syntax with LDAPfilter instead of the LDAP search syntax
Removed the script that didn’t work. Reposting what worked at the end of the conversation.
I changed the code to:
$Exp = Get-ADUser -Filter {sAMAccountName -eq $Name} -Properties *
$Exp.PasswordExpired
-OR-
$Exp = Get-ADUser -LDAPfilter “(sAMAccountName=$Name)” -Properties *
$Exp.PasswordExpired
I still do not get any results in my variable but it shows $Exp as being the Distinguished Name? Something is screwy! The $Name is populated just fine.
well, i’m not sure why your using the filter, you can do a straight get-aduser $name -properties passwordexpired
then $exp.passwordexpired does contain the value
If all you want is accounts with expired passwords look at using search-ADAccount
to search whole domain
Search-ADAccount -PasswordExpired
to search an OU
Search-ADAccount -PasswordExpired -SearchBase ‘OU=Testing,DC=Manticore,DC=org’
OK, here is what worked finally:
$attributes = ‘Name’,‘PasswordExpired’
$Test = Get-ADUser -Filter “sAMAccountName -eq ‘$SaName’” -SearchBase "$OU"`
-SearchScope Subtree -Properties $attributes | Select $attributes
Thanks everyone for your help!
Here is my finished script. This is my first script so I am sure there are lots of improvements to be made!:
##########################################################################
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$caption = “Please select OU to query”
$message = “Select OU to query”
$choices = [System.Management.Automation.Host.ChoiceDescription] `
@(“&Moscow”, “&SST”, “&SST-Mgmt”)
[int]$defaultChoice = 0
$choiceRTN = $host.ui.PromptForChoice($caption,$message, $choices,$defaultChoice)
switch($choiceRTN)
{
0 {
$OU = “OU=ou name,DC=ad,DC=somewhere,DC=org”
$LD = “LDAP://OU=ou name,DC=ad,DC=somewhere,DC=org”
$ShortOU = “A-OU”
break
}
1 {
$OU = “OU=ou name,DC=ad,DC=somewhere,DC=org”
$LD = “LDAP://OU=ou name,DC=ad,DC=somewhere,DC=org”
$ShortOU = “B-OU”
break
}
2 {
$OU = “OU=ou name,DC=ad,DC=somewhere,DC=org”
$LD = “LDAP://ou name,DC=ad,DC=somewhere,DC=org”
$ShortOU = “C-OU”
break
}
}
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$intDays = 90
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]“LDAP://$D”
$MPA = $Domain.maxPwdAge.Value
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$MaxPwdAge = -$lngMaxPwdAge/(600000000 * 1440)
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$Now = Get-Date
$Date1 = $Now.AddDays(-$MaxPwdAge)
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$Date2 = $Now.AddDays($intDays - $MaxPwdAge)
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$64Bit1 = $Date1.Ticks - 504911232000000000
$64Bit2 = $Date2.Ticks - 504911232000000000
$Searcher = New-Object System.DirectoryServices.DirectorySearcher
$Searcher.PageSize = 100
$Searcher.SearchScope = “subtree”
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$Searcher.Filter = “(&(objectCategory=person)(objectClass=user)” `
+ “(pwdLastSet>=” + $($64Bit1) + “)” `
+ "(pwdLastSet $Null
$Searcher.PropertiesToLoad.Add(“distinguishedName”) > $Null
$Searcher.PropertiesToLoad.Add(“pwdLastSet”) > $Null
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
$Searcher.SearchRoot = “$LD”
$Results = $Searcher.FindAll()
#------------------------------------------------------------------------------------------#
#------------------------------------------------------------------------------------------#
ForEach ($Result In $Results)
{
Try
{
#------------------------------------------------------------------------------------------#
# Clear variables at top of loop
#------------------------------------------------------------------------------------------#
$Test =$Check = $Status = $Name = $Null
#------------------------------------------------------------------------------------------#
# Retrieve attribute values for this user
#------------------------------------------------------------------------------------------#
$SaName = $Result.Properties.Item("sAMAccountName")
$DN = $Result.Properties.Item("distinguishedName")
$PLS = $Result.Properties.Item("pwdLastSet")
#------------------------------------------------------------------------------------------#
# Retrieve PasswordExpired Calculated Value
#------------------------------------------------------------------------------------------#
$attributes = 'Name','PasswordExpired'
$Test = Get-ADUser -Filter "sAMAccountName -eq '$SaName'" -SearchBase "$OU"`
-SearchScope Subtree -Properties $attributes | Select $attributes
$Check = $Test.PasswordExpired.ToString()
$Name = $Test.Name.ToString()
If ($PLS.Count -eq 0)
{
$Date = [DateTime]0
}
Else
{
#------------------------------------------------------------------------------------------#
# Interpret 64-bit integer as a date.
#------------------------------------------------------------------------------------------#
$Date = [DateTime]$PLS.Item(0)
}
#------------------------------------------------------------------------------------------#
# If User Password is Expired show "Expired" for this user's status else "OK"
#------------------------------------------------------------------------------------------#
Switch ($Check)
{
"false" {$Status = "OK" ; break}
"true" {$Status = "Expired!" ; break}
}
#------------------------------------------------------------------------------------------#
# Convert from .NET ticks to Active Directory Integer8 ticks.
# Also, convert from UTC to local time.
#------------------------------------------------------------------------------------------#
$PwdLastSet = $Date.AddYears(1600).ToLocalTime()
#------------------------------------------------------------------------------------------#
# Determine when password expires.
#------------------------------------------------------------------------------------------#
$PwdExpires = $PwdLastSet.AddDays($MaxPwdAge)
#------------------------------------------------------------------------------------------#
# Output Report in CSV Format
#------------------------------------------------------------------------------------------#
New-Object -TypeName PSCustomObject -Property @{
PasswordExpDate = $PwdExpires
PwdStatus = "$Status"
Name = "$Name"
sAMAccountName = "$SaName"
DN = "$DN"
} | Export-Csv -Path C:\TestFiles\"$ShortOU"_UserPasswordStatus_$((Get-Date).ToString('MM-dd-yyyy')).csv -NoTypeInformation -Append
}
Catch
{
$ErrorMessage = $.Exception.Message
$FailedItem = $.Exception.ItemName
$ErrorActionPreference = “Inquire”
}
Finally
{
}
}
If ($Results -ne $Null)
{
#------------------------------------------------------------------------------------------#
# Notify user that Report has completed processing
#------------------------------------------------------------------------------------------#
$Pop = new-object -comobject wscript.shell
$Box = $Pop.popup(“The report finished successfully!”,30,“Status”,1)
}
Else
{
#------------------------------------------------------------------------------------------#
# Notify user that Report was not created
#------------------------------------------------------------------------------------------#
$Pop = new-object -comobject wscript.shell
$Box = $Pop.popup(“No Accounts were identified. No report was generated.”,30,“Status”,1)
}