Active Directory User Attribute (-PasswordExpired)

This topic contains 5 replies, has 4 voices, and was last updated by  Christopher 5 months, 2 weeks ago.

  • Author
    Posts
  • #67810

    Christopher
    Participant

    Is there an updated switch list for -PasswordExpired?

    Has anyone effectively utilized a parameter to query user accounts with expired or passwords expiring using -PasswordExpired Cmdlet? I need to find expired passwords and/or passwords expiring in our organization not necessarily expiring accounts.

    There seems to be a lot over lapping with Cmdlets like -AccountExpired, -AccountExpiring, -Locked out etc... that confuses myself and the shell.

    Microsoft has also limited the search parameters for this cmdlet and the User attributes in Active Directory don't tend to play nice with the shell either.

  • #67812

    Zuldan
    Participant

    Have a look at the code in this project.

    https://github.com/dbetteridge/PasswordExpiryDash

  • #67821

    Eric Bronnert
    Participant

    I actually just wrote this script something similar. Feel free to have a look.

    You can use a cmd line one liner
    net user yourusername /domain

    (leave the /domain part as is)
    
    This one liner will get you your data you need for the below script.
    
    
    Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Select-Object name, LastLogonDate, DistinguishedName | Export-Csv C:\ActiveNoExpiration2017.csv

    This script will basically scan a csv you point it to - to look for all accounts via DistinguishedName that have their passwords set to never expire - and "uncheck" this field within active directory - which depending on when the user last changed their password - will apply to the account instantly if it's expired according to your password expiration policy on your DC *note* I believe the header for your csv should either be "user" or "users". Try whichever one works. Also you'll need to delete the -whatif when your done testing and you're ready for the script to make the changes.

    ##ADCleanup - Password Expires = False ##
    ## CD into path where files are being executed##
    cd C:\users\yourusername\desktop\yourfile
    ## Import CSV with OU's for all usernames that need password set to expire MUST BE FULL OU PATH ##
    Import-CSV 'userlist.csv' | ForEach {
    Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false -CannotChangePassword $false -whatif
    }
  • #67825

    Eric Bronnert
    Participant

    I actually just wrote this script something similar. Feel free to have a look.

    You can use a cmd line one liner
    net user yourusername /domain

    (leave the /domain part as is)
    
    This one liner will get you your data you need for the below script.
    
    
    Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Select-Object name, LastLogonDate, DistinguishedName | Export-Csv C:\ActiveNoExpiration2017.csv

    This script will basically scan a csv you point it to - to look for all accounts via DistinguishedName that have their passwords set to never expire - and "uncheck" this field within active directory - which depending on when the user last changed their password - will apply to the account instantly if it's expired according to your password expiration policy on your DC *note* I believe the header for your csv should either be "user" or "users". Try whichever one works. Also you'll need to delete the -whatif when your done testing and you're ready for the script to make the changes.

    ##ADCleanup - Password Expires = False ##
    ## CD into path where files are being executed##
    cd C:\users\yourusername\desktop\yourfile
    ## Import CSV with OU's for all usernames that need password set to expire MUST BE FULL OU PATH ##
    Import-CSV 'userlist.csv' | ForEach {
    Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false -CannotChangePassword $false -whatif
    }

    Hope this helps!

    • #67891

      Christopher
      Participant

      For some reason or the other all of our accounts are set password never expires which makes this more difficult. At least from what I can tell in the attributes listing in ADUC. I will check with higher admins on password policy.

  • #67855

    Mark Prior
    Participant

    Not entirely sure what your after but maybe this will help ?

    
    Get-ADUser "username goes here"  –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” | Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}
    
    

You must be logged in to reply to this topic.