Author Posts

October 21, 2013 at 8:35 am

How can I change this script to get all domain users password info. Here is the script I used but he only ask for a SamAccount for one user.

< # .SYNOPSIS Determine last time user set their password .DESCRIPTION Shows password max age, if expired, and last date pw was changed. .NOTES Author: George Jones .LINK .PARAMETER SAMAccountName SAMAccountName for the user in question. .EXAMPLE .\pw-last-set.ps1 -SAMAccountName some.user #>

param (
[parameter(Mandatory=$true, HelpMessage="SAMAccountName for user")]$SAMAccountName
)

$root = [ADSI]"
$searcher = new-object System.DirectoryServices.DirectorySearcher($root)
$searcher.filter = "(&(objectClass=user)(sAMAccountName= $SAMAccountName))"
$user = $searcher.findall()

$User = [ADSI]$user[0].path

# get domain password policy (max pw age)
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$MPA = $Domain.maxPwdAge.Value

# get Int64 (100-nanosecond intervals).
$lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)

# get days
$MaxPwdAge = -$lngMaxPwdAge/(600000000 * 1440)
"Domain Max Password Age (days): " + '{0:n3}' -f $MaxPwdAge

# check if password can expire or not
$UAC = $User.userAccountControl
$blnPwdExpires = -not (($UAC.Item(0) -band 64) -or ($UAC.Item(0) -band 65536))
"Can Password Expire?: $blnPwdExpires"

# when was pw last set?
$PLS = $User.pwdLastSet.Value

# convert to int64
$lngValue = $User.ConvertLargeIntegerToInt64($PLS)

# convert to ad date
$Date = [DateTime]$lngValue
if ($Date -eq 0) {
$PwdLastSet = ""
}
else {
$PwdLastSet = $Date.AddYears(1600).ToLocalTime()
}
"Password Last Set (local time): $PwdLastSet"

# is the password expired?
$blnExpired = $False
$Now = Get-Date
if ($blnPwdExpires) {
if ($Date -eq 0) {
$blnExpired = $True
}
else
{
if ($PwdLastSet.AddDays($MaxPwdAge) -le $Now) {
$blnExpired = $True
}
}
}

"Password Expired? $blnExpired"

October 21, 2013 at 9:05 am

You'd need to get rid of the Param block (or at least make the $SamAccountName parameter optional, defaulting to '*'), potentially modify $searcher.Filter (if you're not going to filter on samAccountName at all), and modify the rest of the code to loop over the collection returned by $searcher.FindAll(), instead of only outputting information for a single record at index 0.

I would also recommend constructing objects (which can then be formatted by Format-Table or Format-List), instead of outputting a bunch of strings (such as "Password Expired? $blnExpired" ). You'd need to include a property in each object indicating which user account the information refers to.

October 21, 2013 at 9:47 am

I am new to poweshell scripting like this. Could you give more details on how this script should look? Thanks