Author Posts

August 19, 2016 at 11:43 am

Hi

I am currently validating domain user where Passwordnonexpiry should be True, If value is True and i need to consolidate with my other validation results, here is what i tried

$svcact = Read-Host "Please enter service account name:"
$upws = Get-ADUser($svcact) | select PasswordNeverExpires
if ($upws) { $PasswordNeverExpires = "True"; $clr = '#339900' } else { $PasswordNeverExpires = "False"; $clr = '#990033'}
writeSpaceInfo $FileName "Password Non expiry" $PasswordNeverExpires $clr

and this script just Printing true for all accounts and not checking anything then i came with other script which is not print any value in email and not sure weather that is true

$svcact = Read-Host "Please enter service account name:"
$upws = Get-ADUser($svcact) | select PasswordNeverExpires
If (-not $upws)
{
Write-Warning "$svcact Account Password will Expiry." -foregroundcolor Red
write-output "$svcact Account Password will Expiry." | out-file $result -append
return $False
}
else
{
Write-Host "$svcact Account Password will not Expiry." -foregroundcolor Green
write-output "$svcact Account Password will not Expiry." | out-file $result -append
return $True
}
writeSpaceInfo $FileName "DBA PRR Check for Server Account Password Expiry" $svcact

August 19, 2016 at 12:09 pm

Madhu,

First thing is to make sure that the passwordneverexpires attribute shows by default for Get-ADUser. For me, when I run Get-ADUser | select *, passwordneverexpires does not show up. You can fix this by running Get-ADUser -Properties passwordneverexpires | select *. Second, your if statement is returning a boolean value for whether the variable $upws exists or not, NOT the actual value of $upws. Your syntax should look more like this:

$upws = Get-ADUser($svcact) -Properties passwordneverexpires | select PasswordNeverExpires
if ($upws -eq $True) { $PasswordNeverExpires = "True"; $clr = '#339900' } else { $PasswordNeverExpires = "False"; $clr = '#990033'}
  • This reply was modified 2 years ago by  Edmond Yee.

August 19, 2016 at 2:39 pm

Hi Edmond,

Thanks for your reply, I tried to execute your code and i receiving FALSE for all ACCOUNTS, for accounts Password expiry is True. Please see my below code and please correct me if i am wrong
=============================================================================================
$svcact = Read-Host "Please enter service account name:"

$upws = Get-ADUser($svcact) -Properties passwordneverexpires | select PasswordNeverExpires
if ($upws -eq $True) { $PasswordNeverExpires = "True"; $clr = '#339900' } else { $PasswordNeverExpires = "False"; $clr = '#990033'}
writeSpaceInfo $FileName "DBA PRR Check for Server Account Password Expiry" $PasswordNeverExpires $clr

August 19, 2016 at 5:36 pm

Try it without the parentheses like this

$upws = Get-ADUser $svcact -Properties passwordneverexpires | select PasswordNeverExpires

August 20, 2016 at 12:40 pm

Tried but same issue, not sure the reason

==========================================================
$svcact = Read-Host "Please enter service account name:"

$upws = Get-ADUser $svcact -Properties passwordneverexpires | select PasswordNeverExpires
if ($upws -eq $True) { $PasswordNeverExpires = "Pass"; $clr = '#339900' } else { $PasswordNeverExpires = "Fail"; $clr = '#990033'}
writeSpaceInfo $FileName "DBA PRR Check for Server Account Password Expiry" $PasswordNeverExpires $clr

August 20, 2016 at 5:58 pm

The problem is the value of $upws and how you are checking it in your if statement.

$upws = Get-ADUser $svcact -Properties passwordneverexpires | select PasswordNeverExpires

The above results in an object with one property called PasswordNeverExpires being stored in a variable called $upws.

if ($upws -eq $True)

The above if statement checks to see if $upws is true/exists. In this case $upws has an Object with a property stored in it, so it returns true. This if statement is not checking the value of that property, just the value of the variable.

There are two ways to resolve this.

1) You can tell the select statement to expand the PasswordNeverExpires variable so that the value of PasswordNeverExpires is stored in $upws instead of an object with a property.

$upws = Get-ADUser $svcact -Properties passwordneverexpires | select -ExpandProperty PasswordNeverExpires

Now when the if statement check if $upws is $True, it is checking the actual value of the property since that is what is stored in the variable, not an object with a property

2) You could alternatively leave the select the way it is and store the object in the variable, but adjust your if statement to check the object property instead of the object. In this scenario, you technically don't need the select statement at all. If you remove it, all of the properties returned from AD will be stored on the object in the $upws variable, and when you issue the if statement, you specify which property you want to check. This leaves the other properties available on the object to be used for other purposes if desired.

$upws = Get-ADUser($svcact) -Properties PasswordNeverExpires
if ($upws.PasswordNeverExpires -eq $True){ $PasswordNeverExpires = "Pass"; $clr = '#339900' } else { $PasswordNeverExpires = "Fail"; $clr = '#990033'}

August 22, 2016 at 12:08 pm

Curtis,

I believe you are incorrect. In his initial post, writing

If ($upws)

means that it is checking that the variable $upws exists. However, typing

If ($upws -eq $True)

is checking that the value of the variable $upws is $True. Take this snippet for instance:

$upws = 'test value'
If ($upws -eq $True) {Write-Host 'The value of $upws is $True.'} else {Write-Host 'The value of $upws is not $True.'}

This will return the else condition.

Madhu,

I have tested this code on my machine with my AD and it works fine. Are you receiving any errors?

August 22, 2016 at 3:05 pm

Hi Edmond,
I am not incorrect.

See Example Below:

Remove-Variable "upws"

If ($upws) {'$upws is True'}Else{'$upws is not True'}
If ($upws -eq $False) {'$upws is True'}Else{'$upws is not True'}

Results:

$upws is not True
$upws is not True

In the above example, in the first instance $upws does not exist so the result is not true. In the second instance $upws still does not exist, but it's value is not false either so the result is still not true.

Let's give a second example:

$upws = $false

If ($upws) {'$upws is True'}Else{'$upws is not True'}
If ($upws -eq $True) {'$upws is True'}Else{'$upws is not True'}
If ($upws -eq $False) {'$upws is True'}Else{'$upws is not True'}

Results:

$upws is not True
$upws is not True
$upws is True

In the above example, $upws now exists, but it's value is set to false. If the "If ($upws)" statement condition only checked to see if the variable existed, then the results would be "$upws is True"; however we see the result is "$upws is not True". This is because the if statement is not only checking that the variable exists, but also checking it's value. When we additionally check the values for $True/$False, we see the results are expected for the value.

Now let's bring it back to the example in this thread:

$upws = [pscustomobject]@{property = $false}

If ($upws) {'$upws is True'}Else{'$upws is not True'}
If ($upws -eq $True) {'$upws is True'}Else{'$upws is not True'}
If ($upws -eq $False) {'$upws is True'}Else{'$upws is not True'}

Results:

$upws is True
$upws is not True
$upws is not True

As we see from the above result, even though the property value is $false, the "If ($upws)" statement condition resolves true. This is because there is an object in the variable, it exists and has value. The "If ($upws -eq $True)" statement condition resolves not true because even though it exists and has value, that value is not equal to a boolean $True. Same thing with "If ($upws -eq $False)". That's because both of these conditions are looking at the value of $upws, which is an object, not's $false, which is the value of the "property" property on the object.

Last Example:

$upws = [pscustomobject]@{property = $false}

If ($upws.property) {'$upws is True'}Else{'$upws is not True'}
If ($upws.property -eq $True) {'$upws is True'}Else{'$upws is not True'}
If ($upws.property -eq $False) {'$upws is True'}Else{'$upws is not True'}

Results:

$upws is not True
$upws is not True
$upws is True

Again we see that the "If ($upws.property)" statement condition resolves not true, event though we know the property exists on the object. This is because it is also testing the value of the property, not just whether or not it exists. "If ($upws.property -eq $True)" resolves not True because the value of "property", Boolean $False, it not equal to Boolean $True. And "If ($upws.property -eq $False)" resolves true because the value of "property", Boolean $False, does equal Boolean $False.

Hope that helps.

August 22, 2016 at 3:16 pm

Hey Edmond,
To follow up on why you get the results you do in your example, I've added another line to show what is going on.

$upws = 'test value'

"Checking if '$([string]$upws)' equals '$([string]$true)'"

If ($upws -eq $True) {Write-Host 'The value of $upws is $True.'} else {Write-Host 'The value of $upws is not $True.'}

Results:

Checking if 'test value' equals 'True'
The value of $upws is not $True.

When PowerShell has to compare two values, it must make the two values the same type for comparison. In this case you are comparing a string value to a Boolean value. PowerShell will take the type of the value on the left side of the comparison operator, and try to convert the value on the right side of the comparison operator to the same type. As showing with the additional code I added, when you convert Boolean $True to a string, the result is "True", and this does not equal "test value"

At the same time, if you switch the order of comparison, you see that "test value" converted to a Boolean resolves to Boolean true and the expression ends up as True.

$upws = 'test value'

"Checking if '$([bool]$true)' equals '$([bool]$upws)'"

If ($True -eq $upws) {Write-Host 'The value of $upws is $True.'} else {Write-Host 'The value of $upws is not $True.'}

Results:

Checking if 'True' equals 'True'
The value of $upws is $True.

August 22, 2016 at 6:30 pm

Curtis,

Thank you for the explanation. I have traditionally always written it this way without running into issue but I see what you mean. This is very good to know.