Complete Newbie – Looking for Help Creating a Script to Provide List of AD User

Welcome Forums General PowerShell Q&A Complete Newbie – Looking for Help Creating a Script to Provide List of AD User

Viewing 3 reply threads
  • Author
    Posts
    • #265991
      Participant
      Topics: 1
      Replies: 1
      Points: 13
      Rank: Member

      Hi All,

      I am a complete newbie with regards to Powershell, This will be my 1st attempt, not even sure where to actually start…Sorry.

      I am trying to create a simple script that lists all the users on a domain, status, expiry date, account locked?…etc.

      Any help would be appreciated

      Regards

      John

    • #266006
      Participant
      Topics: 2
      Replies: 382
      Points: 523
      Helping Hand
      Rank: Major Contributor

      You should research the Active Directory cmdlets, in particular Get-ADUser.

      https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps

      You can use the Export-CSV cmdlet to send the data to a CSV file.

      Get-Help Export-Csv -Full for usage and examples.

       

    • #266030
      Participant
      Topics: 1
      Replies: 1
      Points: 13
      Rank: Member

      Hi,

      So i managed to find some stuff on the internet, it gives me an output, which looks correct. Script Below
      <p style=”margin: 0in; font-family: Menlo; font-size: 9.75pt; color: #333333;”>Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
      Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}
      </p>
      Some of the accounts, primarily my team all have proper expiry dates, but the other team that is in this domain all their password expiry dates are 01/01/1601. This obviously isn’t correct.

      These accounts are also controlled by the AD Password policy and I have had to change their password because they have expired.

      The only reason i can think their expiry dates are invalid is they don’t directly log into the domain via a desktop or server. Their domain accounts are purely to give them authentication when they log into a SQL instance via SSMS which has domain authentication.

      Anyone seen this before? Also, could someone give me some direction on how to tweak the attached script to give me account locked true/false?

       

      Thanks

       

      John

    • #266045
      Participant
      Topics: 2
      Replies: 382
      Points: 523
      Helping Hand
      Rank: Major Contributor

      Most likely their PasswordLastSet (pwdLastSet) attribute is NULL.  They were probably given passwords and never forced to change them at next logon.

      If that’s the case, msDS-UserPasswordExpiryTimeComputed, will return 00 converts to the epoch date 01/01/1601.

      You can get the locked out status by adding LockedOut to the list of properties you’re specifying when running the Get-ADUser command.  You will also need to add it to the Select-Object command to see it in the output.

Viewing 3 reply threads
  • You must be logged in to reply to this topic.