GET ADUSER for Password Non expiry

Tagged: 

This topic contains 9 replies, has 3 voices, and was last updated by Profile photo of Edmond Yee Edmond Yee 1 month, 1 week ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #51134
    Profile photo of Madhu
    Madhu
    Participant

    Hi

    I am currently validating domain user where Passwordnonexpiry should be True, If value is True and i need to consolidate with my other validation results, here is what i tried

    $svcact = Read-Host "Please enter service account name:"
    $upws = Get-ADUser($svcact) | select PasswordNeverExpires
    if ($upws) { $PasswordNeverExpires = "True"; $clr = '#339900' } else { $PasswordNeverExpires = "False"; $clr = '#990033'}
    writeSpaceInfo $FileName "Password Non expiry" $PasswordNeverExpires $clr

    and this script just Printing true for all accounts and not checking anything then i came with other script which is not print any value in email and not sure weather that is true

    $svcact = Read-Host "Please enter service account name:"
    $upws = Get-ADUser($svcact) | select PasswordNeverExpires
    If (-not $upws)
    {
    Write-Warning "$svcact Account Password will Expiry." -foregroundcolor Red
    write-output "$svcact Account Password will Expiry." | out-file $result -append
    return $False
    }
    else
    {
    Write-Host "$svcact Account Password will not Expiry." -foregroundcolor Green
    write-output "$svcact Account Password will not Expiry." | out-file $result -append
    return $True
    }
    writeSpaceInfo $FileName "DBA PRR Check for Server Account Password Expiry" $svcact

    #51144
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Madhu,

    First thing is to make sure that the passwordneverexpires attribute shows by default for Get-ADUser. For me, when I run Get-ADUser | select *, passwordneverexpires does not show up. You can fix this by running Get-ADUser -Properties passwordneverexpires | select *. Second, your if statement is returning a boolean value for whether the variable $upws exists or not, NOT the actual value of $upws. Your syntax should look more like this:

    $upws = Get-ADUser($svcact) -Properties passwordneverexpires | select PasswordNeverExpires
    if ($upws -eq $True) { $PasswordNeverExpires = "True"; $clr = '#339900' } else { $PasswordNeverExpires = "False"; $clr = '#990033'}
    • This reply was modified 1 month, 1 week ago by Profile photo of Edmond Yee Edmond Yee.
    #51180
    Profile photo of Madhu
    Madhu
    Participant

    Hi Edmond,

    Thanks for your reply, I tried to execute your code and i receiving FALSE for all ACCOUNTS, for accounts Password expiry is True. Please see my below code and please correct me if i am wrong
    =============================================================================================
    $svcact = Read-Host "Please enter service account name:"

    $upws = Get-ADUser($svcact) -Properties passwordneverexpires | select PasswordNeverExpires
    if ($upws -eq $True) { $PasswordNeverExpires = "True"; $clr = '#339900' } else { $PasswordNeverExpires = "False"; $clr = '#990033'}
    writeSpaceInfo $FileName "DBA PRR Check for Server Account Password Expiry" $PasswordNeverExpires $clr

    #51210
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Try it without the parentheses like this

    $upws = Get-ADUser $svcact -Properties passwordneverexpires | select PasswordNeverExpires
    #51284
    Profile photo of Madhu
    Madhu
    Participant

    Tried but same issue, not sure the reason

    ==========================================================
    $svcact = Read-Host "Please enter service account name:"

    $upws = Get-ADUser $svcact -Properties passwordneverexpires | select PasswordNeverExpires
    if ($upws -eq $True) { $PasswordNeverExpires = "Pass"; $clr = '#339900' } else { $PasswordNeverExpires = "Fail"; $clr = '#990033'}
    writeSpaceInfo $FileName "DBA PRR Check for Server Account Password Expiry" $PasswordNeverExpires $clr

    #51298
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    The problem is the value of $upws and how you are checking it in your if statement.

    $upws = Get-ADUser $svcact -Properties passwordneverexpires | select PasswordNeverExpires

    The above results in an object with one property called PasswordNeverExpires being stored in a variable called $upws.

    if ($upws -eq $True)

    The above if statement checks to see if $upws is true/exists. In this case $upws has an Object with a property stored in it, so it returns true. This if statement is not checking the value of that property, just the value of the variable.

    There are two ways to resolve this.

    1) You can tell the select statement to expand the PasswordNeverExpires variable so that the value of PasswordNeverExpires is stored in $upws instead of an object with a property.

    $upws = Get-ADUser $svcact -Properties passwordneverexpires | select -ExpandProperty PasswordNeverExpires

    Now when the if statement check if $upws is $True, it is checking the actual value of the property since that is what is stored in the variable, not an object with a property

    2) You could alternatively leave the select the way it is and store the object in the variable, but adjust your if statement to check the object property instead of the object. In this scenario, you technically don't need the select statement at all. If you remove it, all of the properties returned from AD will be stored on the object in the $upws variable, and when you issue the if statement, you specify which property you want to check. This leaves the other properties available on the object to be used for other purposes if desired.

    $upws = Get-ADUser($svcact) -Properties PasswordNeverExpires
    if ($upws.PasswordNeverExpires -eq $True){ $PasswordNeverExpires = "Pass"; $clr = '#339900' } else { $PasswordNeverExpires = "Fail"; $clr = '#990033'}
    #51443
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Curtis,

    I believe you are incorrect. In his initial post, writing

    If ($upws)

    means that it is checking that the variable $upws exists. However, typing

    If ($upws -eq $True)

    is checking that the value of the variable $upws is $True. Take this snippet for instance:

    $upws = 'test value'
    If ($upws -eq $True) {Write-Host 'The value of $upws is $True.'} else {Write-Host 'The value of $upws is not $True.'}

    This will return the else condition.

    Madhu,

    I have tested this code on my machine with my AD and it works fine. Are you receiving any errors?

    #51469
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    Hi Edmond,
    I am not incorrect.

    See Example Below:

    Remove-Variable "upws"
    
    If ($upws) {'$upws is True'}Else{'$upws is not True'}
    If ($upws -eq $False) {'$upws is True'}Else{'$upws is not True'}

    Results:

    $upws is not True
    $upws is not True

    In the above example, in the first instance $upws does not exist so the result is not true. In the second instance $upws still does not exist, but it's value is not false either so the result is still not true.

    Let's give a second example:

    $upws = $false
    
    If ($upws) {'$upws is True'}Else{'$upws is not True'}
    If ($upws -eq $True) {'$upws is True'}Else{'$upws is not True'}
    If ($upws -eq $False) {'$upws is True'}Else{'$upws is not True'}

    Results:

    $upws is not True
    $upws is not True
    $upws is True

    In the above example, $upws now exists, but it's value is set to false. If the "If ($upws)" statement condition only checked to see if the variable existed, then the results would be "$upws is True"; however we see the result is "$upws is not True". This is because the if statement is not only checking that the variable exists, but also checking it's value. When we additionally check the values for $True/$False, we see the results are expected for the value.

    Now let's bring it back to the example in this thread:

    $upws = [pscustomobject]@{property = $false}
    
    If ($upws) {'$upws is True'}Else{'$upws is not True'}
    If ($upws -eq $True) {'$upws is True'}Else{'$upws is not True'}
    If ($upws -eq $False) {'$upws is True'}Else{'$upws is not True'}

    Results:

    $upws is True
    $upws is not True
    $upws is not True

    As we see from the above result, even though the property value is $false, the "If ($upws)" statement condition resolves true. This is because there is an object in the variable, it exists and has value. The "If ($upws -eq $True)" statement condition resolves not true because even though it exists and has value, that value is not equal to a boolean $True. Same thing with "If ($upws -eq $False)". That's because both of these conditions are looking at the value of $upws, which is an object, not's $false, which is the value of the "property" property on the object.

    Last Example:

    $upws = [pscustomobject]@{property = $false}
    
    If ($upws.property) {'$upws is True'}Else{'$upws is not True'}
    If ($upws.property -eq $True) {'$upws is True'}Else{'$upws is not True'}
    If ($upws.property -eq $False) {'$upws is True'}Else{'$upws is not True'}

    Results:

    $upws is not True
    $upws is not True
    $upws is True

    Again we see that the "If ($upws.property)" statement condition resolves not true, event though we know the property exists on the object. This is because it is also testing the value of the property, not just whether or not it exists. "If ($upws.property -eq $True)" resolves not True because the value of "property", Boolean $False, it not equal to Boolean $True. And "If ($upws.property -eq $False)" resolves true because the value of "property", Boolean $False, does equal Boolean $False.

    Hope that helps.

    #51471
    Profile photo of Curtis Smith
    Curtis Smith
    Participant

    Hey Edmond,
    To follow up on why you get the results you do in your example, I've added another line to show what is going on.

    $upws = 'test value'
    
    "Checking if '$([string]$upws)' equals '$([string]$true)'"
    
    If ($upws -eq $True) {Write-Host 'The value of $upws is $True.'} else {Write-Host 'The value of $upws is not $True.'}

    Results:

    Checking if 'test value' equals 'True'
    The value of $upws is not $True.

    When PowerShell has to compare two values, it must make the two values the same type for comparison. In this case you are comparing a string value to a Boolean value. PowerShell will take the type of the value on the left side of the comparison operator, and try to convert the value on the right side of the comparison operator to the same type. As showing with the additional code I added, when you convert Boolean $True to a string, the result is "True", and this does not equal "test value"

    At the same time, if you switch the order of comparison, you see that "test value" converted to a Boolean resolves to Boolean true and the expression ends up as True.

    $upws = 'test value'
    
    "Checking if '$([bool]$true)' equals '$([bool]$upws)'"
    
    If ($True -eq $upws) {Write-Host 'The value of $upws is $True.'} else {Write-Host 'The value of $upws is not $True.'}

    Results:

    Checking if 'True' equals 'True'
    The value of $upws is $True.
    #51503
    Profile photo of Edmond Yee
    Edmond Yee
    Participant

    Curtis,

    Thank you for the explanation. I have traditionally always written it this way without running into issue but I see what you mean. This is very good to know.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.