How to check user must change password at next logon flag via Powershell

This topic contains 5 replies, has 5 voices, and was last updated by  Ron 1 year, 1 month ago.

  • Author
    Posts
  • #55406

    maxcoder
    Participant

    I have been doing to report all user accounts that have the user must change password at next logon flag set, My question is : how do I set as `user must change password at next logon` instead of `1/1/1601 2:00:00 AM` in CSV output ? So I just want to set users who still has the box checked for "user must change password at next login" in active directory.

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "Title", "manager", "department", "employeeid"  | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},"Title",@{n=”Manager Name”;e={(Get-ADuser -identity $_.Manager -properties displayname).DisplayName}},"Department","employeeid" | sort-object -property ExpiryDate | Export-Csv -Path "c:\export\expirydatenew.csv" -NoTypeInformation -Encoding UTF8
    • This topic was modified 1 year, 1 month ago by  maxcoder.
  • #55418

    Don Reese
    Participant

    I don't think there is one particular flag you can trigger. It's either expired or not, which you can check by the expiry date. You can uset the Set-ADUSer boolean [-ChangePasswordAtLogon ] to set the flag.

    get-help set-aduser
    https://technet.microsoft.com/en-us/library/ee617215.aspx

  • #55424

    Dan Potter
    Participant

    Are you asking how to set it or how to retrieve it? if the property pwdlastset is equal to 0 then user must change password is true.

    • This reply was modified 1 year, 1 month ago by  Dan Potter.
  • #55435

    maxcoder
    Participant

    Hi Everyone,

    CSV output at this time( 1/1/1601 2:00:00 AM, users who has the box checked for "user must change password at next login" in active directory):

    "Displayname","ExpiryDate","Title","Manager Name","Department","employeeid"
    ,,,,,
    ,,,,,
    "user1","1/1/1601 2:00:00 AM",,,,
    "user2","1/1/1601 2:00:00 AM",,,,

    I want to get CSV output like below :

    "Displayname","ExpiryDate","Title","Manager Name","Department","employeeid"
    ,,,,,
    ,,,,,
    "user1","User must change password",,,,
    "user2","User must change password",,,,

    I have tried something but no luck.

    @{Name="User must change password";Expression={if($_.pwdLastSet -eq 0){"true"} else {"false"}}}
    • This reply was modified 1 year, 1 month ago by  maxcoder.
  • #55544

    Max Kozlov
    Participant

    You need to reconstruct Expression for ExpiryDate field:
    @{Name="ExpiryDate";Expression={ if ($_."msDS-UserPasswordExpiryTimeComputed" -eq 0) { 'User must change password' } else { [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") } } }

    • This reply was modified 1 year, 1 month ago by  Max Kozlov.
    • This reply was modified 1 year, 1 month ago by  Max Kozlov.
  • #55868

    Ron
    Participant

    Get-ADUser already has a calculated field, PasswordLastSet. It will be null if the password is set to change at next logon. You can either leave it null or test and put in your own description. I usually substitute "(Never)" for reports to non-technical users.

You must be logged in to reply to this topic.