How to check user must change password at next logon flag via Powershell

Tagged: 

This topic contains 5 replies, has 5 voices, and was last updated by Profile photo of Ron Ron 1 month, 1 week ago.

  • Author
    Posts
  • #55406
    Profile photo of maxcoder
    maxcoder
    Participant

    I have been doing to report all user accounts that have the user must change password at next logon flag set, My question is : how do I set as `user must change password at next logon` instead of `1/1/1601 2:00:00 AM` in CSV output ? So I just want to set users who still has the box checked for "user must change password at next login" in active directory.

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "Title", "manager", "department", "employeeid"  | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},"Title",@{n=”Manager Name”;e={(Get-ADuser -identity $_.Manager -properties displayname).DisplayName}},"Department","employeeid" | sort-object -property ExpiryDate | Export-Csv -Path "c:\export\expirydatenew.csv" -NoTypeInformation -Encoding UTF8
    • This topic was modified 1 month, 2 weeks ago by Profile photo of maxcoder maxcoder.
  • #55418
    Profile photo of Don Reese
    Don Reese
    Participant

    I don't think there is one particular flag you can trigger. It's either expired or not, which you can check by the expiry date. You can uset the Set-ADUSer boolean [-ChangePasswordAtLogon ] to set the flag.

    get-help set-aduser
    https://technet.microsoft.com/en-us/library/ee617215.aspx

  • #55424
    Profile photo of Dan Potter
    Dan Potter
    Participant

    Are you asking how to set it or how to retrieve it? if the property pwdlastset is equal to 0 then user must change password is true.

    • This reply was modified 1 month, 2 weeks ago by Profile photo of Dan Potter Dan Potter.
  • #55435
    Profile photo of maxcoder
    maxcoder
    Participant

    Hi Everyone,

    CSV output at this time( 1/1/1601 2:00:00 AM, users who has the box checked for "user must change password at next login" in active directory):

    "Displayname","ExpiryDate","Title","Manager Name","Department","employeeid"
    ,,,,,
    ,,,,,
    "user1","1/1/1601 2:00:00 AM",,,,
    "user2","1/1/1601 2:00:00 AM",,,,

    I want to get CSV output like below :

    "Displayname","ExpiryDate","Title","Manager Name","Department","employeeid"
    ,,,,,
    ,,,,,
    "user1","User must change password",,,,
    "user2","User must change password",,,,

    I have tried something but no luck.

    @{Name="User must change password";Expression={if($_.pwdLastSet -eq 0){"true"} else {"false"}}}
    • This reply was modified 1 month, 2 weeks ago by Profile photo of maxcoder maxcoder.
  • #55544
    Profile photo of Max Kozlov
    Max Kozlov
    Participant

    You need to reconstruct Expression for ExpiryDate field:
    @{Name="ExpiryDate";Expression={ if ($_."msDS-UserPasswordExpiryTimeComputed" -eq 0) { 'User must change password' } else { [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") } } }

    • This reply was modified 1 month, 2 weeks ago by Profile photo of Max Kozlov Max Kozlov.
    • This reply was modified 1 month, 2 weeks ago by Profile photo of Max Kozlov Max Kozlov.
  • #55868
    Profile photo of Ron
    Ron
    Participant

    Get-ADUser already has a calculated field, PasswordLastSet. It will be null if the password is set to change at next logon. You can either leave it null or test and put in your own description. I usually substitute "(Never)" for reports to non-technical users.

You must be logged in to reply to this topic.