AD Password Expiration tracking

This topic contains 0 replies, has 1 voice, and was last updated by Profile photo of Forums Archives Forums Archives 5 years, 3 months ago.

  • Author
    Posts
  • #6290

    by GregSmith at 2013-02-26 12:15:58

    I found and am trying to use this bit of code to list AD users who are approaching their password expiration date. I liked this code because I did not have to hardcode the domain name. Now it ocurrs to me that I probably am not using it correctly as the math is not giving the expected numbers.....

    I changed my password yesterday but still show in the list generated because, for me only, this is whats returned:
    9/18/2012 7:09:03 AM
    161
    Greg Smith

    The days calculations is correct, based on that date, but where did that date come from ???????


    $MaxPasswordAge = 30
    $userCount = 0
    $adsiSearcher = new-object DirectoryServices.DirectorySearcher("LDAP://rootdse")
    $adsiSearcher.filter = "objectCategory=user"
    $adsiSearcher.findall() |
    Foreach-Object -ErrorAction "silentlycontinue" `
    -Begin { "The following users need to set their password" } `
    -Process `
    {
    $pwdChanged = ([adsi]$_.path).psbase.InvokeGet("PasswordLastChanged")
    Write-Host $pwdChanged
    write-host ((get-date) - $pwdChanged).days
    If( ((get-date) - $pwdChanged).days -ge $MaxPasswordAge)
    {
    ([adsi]$_.path).name
    $userCount ++
    } #end if date
    } `
    -end { "A total of $userCount users" }

    by DonJ at 2013-02-26 12:35:42

    That attribute is a low-priority replication item. It's possible that you changed your password on one DC, but queried the attribute from another one that hadn't been informed of the change in that attribute yet.

    Also keep in mind that PasswordLastChanged itself isn't replicated at all; it's derived from pwdLastSet, which itself is low-pri.

You must be logged in to reply to this topic.