All users Account Password and when password were changed.

This topic contains 12 replies, has 3 voices, and was last updated by  Don Jones 3 years, 10 months ago.

  • Author
    Posts
  • #11676

    Markus Jones
    Participant

    I get a lil twisted.... I created this script below:

    Import-Module ActiveDirectory
    Get-ADUser 'a87114' -properties PasswordLastSet, whenCreated | Format-List

    $Result = @()
    $Users = Get-ADUser a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires
    ForEach ($User in $Users)
    { $Result += New-Object PSObject -Property @{
    'Last Name' = $User.sn
    'First Name' = $User.GivenName
    UserName = $User.SamAccountName

    }
    }
    $Result = $Result | Select 'Last Name','First Name',UserName

    #Produce a CSV
    $Result | Export-Csv "c:\temp\passwordexpirationdate11.csv"

    The above display this:

    DistinguishedName : CN=A87114,OU=Users,OU=Atlanta-AOC,OU=US,OU=NA,DC=na,DC=ko,DC=com
    Enabled : True
    GivenName : George
    Name : A87114
    ObjectClass : user
    ObjectGUID : 5275b59f-509f-4418-b615-4a338a99b2d2
    PasswordLastSet : 11/26/2013 11:48:01 AM
    SamAccountName : A87114
    SID : S-1-5-21-1174801143-910442134-930774774-464530
    Surname : Jones
    UserPrincipalName : a87114@na.ko.com
    whenCreated : 8/22/2013 12:03:19 PM

    Do you think there's away to ouput when the password was set and check to see when it was last changed?

    I am trying to get a variable like

    $date = date
    $dataPwdYear = last 4 of $datepwd
    $datepwdMonth = left ($datepwd, "/")
    $datePwdDay = mid ($datepwd, "/", next 2 character)

    then
    $dateCreate

    – is a minus

    If (year – year) = 0 then
    If (month-month) = 0 then
    If (day-day) = 0 then
    If (AM – PM) 2 then
    If (hour – hour) <2 then
    Else "Error" + output

    The goal here is to see if powershell can output when an account password was created and when the account password was changed.

    Help

  • #11678

    Markus Jones
    Participant

    Hello Don

    My manager ask me if Powershell could output when a user account password was created and if the password to the account was changed when the user or users logged in for the first time. We have a lot of users account that we have to reset passwords right after the accounts have been created within minutes. I have to do this pre each DCs or domain. We have over 50,000 plus users across the world.... he key is date and time. I hope this helps.

    Thank you sir

  • #11679

    Markus Jones
    Participant

    Hello Don

    I work for Coca-Cola and my manager ask me if Powershell could output when a user account password was created and if the password to the account was changed when the user or users logged in for the first time. We have a lot of users account that we have to reset passwords right after the accounts have been created within minutes. I have to do this pre each DCs or domain. We have over 50,000 plus users across the world.... The key is date and time. I hope this helps.

    Thank you sir

  • #11680

    Don Jones
    Keymaster

    Yes. It can.

    Get-ADUser -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires | Export-CSV whatever.csv
    

    For the user account a87114, does the above command do what you want?

  • #11692

    Markus Jones
    Participant

    Don

    It displayed the same thing I had already did. What I am trying to get is the difference in the time the account and account password was created and when password was first changed.

  • #11694

    Don Jones
    Keymaster

    Ah, okay.

    So, at the end of the Select-Object property list, you would add something like:

    …whenCreated,PasswordLastSet,PasswordNeverExpires,@{n='Difference';e={ $_.PasswordLastSet - $_.WhenCreated  }}
    

    That'll give you an additional column with the difference. You can obviously play with the expression in {} to get a specific value (days, hours, whatever). Although that won't give you when the password FIRST changed, it'll give you when the password LAST changed.

  • #11698

    Markus Jones
    Participant

    Is this correct? Get-ADUser -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires,@{n='Difference';e={ $_.PasswordLastSet – $_.WhenCreated }} | Export-CSV c:\temp\test.csv

    I just got an error message.

    The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
    At line:1 char:11
    + Get-ADUser <<<< -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires,@{n='Difference';e={ $_.PasswordLastSet – $_.WhenCreated }} | Export-CSV c:\temp\whateve r.csv + CategoryInfo : ObjectNotFound: (Get-ADUser:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException

  • #11699

    Don Jones
    Keymaster

    That'd be because you either (a) don't have the ActiveDirectory module loaded or (b) it doesn't exist on the machine you're using. The problem is not with your syntax, it's that the Get-ADUser command wasn't found.

    Since you were using Get-ADUser in your original example, I had assumed you had access to the ActiveDirectory module.

  • #11700

    Dave Wyatt
    Moderator

    For that error message, you're either running PowerShell 2.0 and need to add an "Import-Module ActiveDirectory" command earlier in the script, or you're running PowerShell 3.0 or later on a computer that doesn't have the RSAT feature installed.

    Also, I don't think you can do constructed properties in the Get-ADUser command like that, though I haven't tried it myself. This would work, though:

    Get-ADUser -Identity a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires |
    Select-Object -Property *, @{ n = 'Difference'; e = { $_.PasswordLastSet – $_.WhenCreated } } |
    Export-CSV c:\temp\test.csv
    

    Keep in mind that your "Difference" property is going to be a timespan object, which looks like this when converted to a string in a CSV: 1674.18:43:52.2694062 . That's .::.

  • #11701

    Don Jones
    Keymaster

    Correct, you can't do those right in the property list, sorry – I was reading too fast and didn't realize we'd not just done a Select. Thanks, Dave.

  • #11702

    Markus Jones
    Participant

    Don

    That works. I was able to get an output of 95.23:44:42.1869997 that’s .::..
    Is there away to converted the 95.23:44:42.1869997 into a actual date and time?

    Thank you

  • #11704

    Don Jones
    Keymaster

    Well, no… the difference between Date A and Date B isn't a date, it's some number of hours-days-minutes-etc.

    Today minus yesterday is one day… it isn't a date and time.

    If { $_.x – $_.y } is a timespan, then { ($_.x – $_.y).Days } would be the number of days between those two datetimes.

  • #11677

    Don Jones
    Keymaster

    So, you can use the HTML PRE tag to format your code. It's a little harder to follow when you don't do that.

    I'm a little confused on why your'e doing what you're doing.

    Import-Module ActiveDirectory
    Get-ADUser ‘a87114′ -properties PasswordLastSet, whenCreated | Format-List
    

    The above doesn't do anything useful, right? Just creates a list. This is what you're seeing in your output, but it's just going to the screen. This has nothing to do with creating a CSV. Also, Format-List won't always display every available property. You have to do "Format-List -Property *" if you want to see everything.

    $Result = @()
    $Users = Get-ADUser a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires
    

    After the above, you've got a single user in $Users, and it should have all the properties you want, including password last set. Keep in mind that a lot of attributes, like passwordlastset, do not replicate instantly. So you are not ALWAYS getting a 100% accurate value by only querying one domain controller. Just be aware that there is some room for error with some of these attributes.

    ForEach ($User in $Users)
    {	$Result += New-Object PSObject -Property @{
    ‘Last Name’ = $User.sn
    ‘First Name’ = $User.GivenName
    UserName = $User.SamAccountName
    
    }
    }
    

    I don't understand what the above is doing. You're keeping the user's Last name, first name, and username. You already have that information in $Users. You are not ADDING information, here. You're taking what's in $Users, and only keeping three things, and putting those three things into $Result.

    $Result = $Result | Select ‘Last Name’,'First Name’,UserName
    

    I don't understand the above, either. $Result contains objects that only have a last name, first name, and user name. There's no need to select those properties.

    #Produce a CSV
    $Result | Export-Csv “c:\temp\passwordexpirationdate11.csv”
    

    Sure, the above is only providing last name, first name, and user name, because that's all you put into $Result.

    If you just want everything in a CSV file:

    Get-ADUser a87114 -Properties GivenName,sn,PasswordExpired,whenCreated,PasswordLastSet,PasswordneverExpires | Export-CSV whatever.csv
    

    Right? So I guess I'm confused about what you're after. If we could maybe start with that last line above, and you tell me what it isn't doing for you, I can help you get it to do what you need.

You must be logged in to reply to this topic.