Author Posts

October 20, 2016 at 4:39 pm

I have been doing to report all user accounts that have the user must change password at next logon flag set, My question is : how do I set as `user must change password at next logon` instead of `1/1/1601 2:00:00 AM` in CSV output ? So I just want to set users who still has the box checked for "user must change password at next login" in active directory.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "Title", "manager", "department", "employeeid"  | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},"Title",@{n=”Manager Name”;e={(Get-ADuser -identity $_.Manager -properties displayname).DisplayName}},"Department","employeeid" | sort-object -property ExpiryDate | Export-Csv -Path "c:\export\expirydatenew.csv" -NoTypeInformation -Encoding UTF8
  • This topic was modified 1 year, 11 months ago by  maxcoder.

October 20, 2016 at 5:10 pm

I don't think there is one particular flag you can trigger. It's either expired or not, which you can check by the expiry date. You can uset the Set-ADUSer boolean [-ChangePasswordAtLogon ] to set the flag.

get-help set-aduser
https://technet.microsoft.com/en-us/library/ee617215.aspx

October 20, 2016 at 5:18 pm

Are you asking how to set it or how to retrieve it? if the property pwdlastset is equal to 0 then user must change password is true.

  • This reply was modified 1 year, 11 months ago by  Dan Potter.

October 20, 2016 at 6:29 pm

Hi Everyone,

CSV output at this time( 1/1/1601 2:00:00 AM, users who has the box checked for "user must change password at next login" in active directory):

"Displayname","ExpiryDate","Title","Manager Name","Department","employeeid"
,,,,,
,,,,,
"user1","1/1/1601 2:00:00 AM",,,,
"user2","1/1/1601 2:00:00 AM",,,,

I want to get CSV output like below :

"Displayname","ExpiryDate","Title","Manager Name","Department","employeeid"
,,,,,
,,,,,
"user1","User must change password",,,,
"user2","User must change password",,,,

I have tried something but no luck.

@{Name="User must change password";Expression={if($_.pwdLastSet -eq 0){"true"} else {"false"}}}
  • This reply was modified 1 year, 11 months ago by  maxcoder.

October 21, 2016 at 11:35 am

You need to reconstruct Expression for ExpiryDate field:
@{Name="ExpiryDate";Expression={ if ($_."msDS-UserPasswordExpiryTimeComputed" -eq 0) { 'User must change password' } else { [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed") } } }

  • This reply was modified 1 year, 11 months ago by  Max Kozlov.
  • This reply was modified 1 year, 11 months ago by  Max Kozlov.

October 24, 2016 at 1:05 pm

Get-ADUser already has a calculated field, PasswordLastSet. It will be null if the password is set to change at next logon. You can either leave it null or test and put in your own description. I usually substitute "(Never)" for reports to non-technical users.