Password Info

This topic contains 2 replies, has 2 voices, and was last updated by  Markus Jones 4 years ago.

  • Author
    Posts
  • #10951

    Markus Jones
    Participant

    How can I change this script to get all domain users password info. Here is the script I used but he only ask for a SamAccount for one user.

    < # .SYNOPSIS Determine last time user set their password .DESCRIPTION Shows password max age, if expired, and last date pw was changed. .NOTES Author: George Jones .LINK .PARAMETER SAMAccountName SAMAccountName for the user in question. .EXAMPLE .\pw-last-set.ps1 -SAMAccountName some.user #>

    param (
    [parameter(Mandatory=$true, HelpMessage="SAMAccountName for user")]$SAMAccountName
    )

    $root = [ADSI]"
    $searcher = new-object System.DirectoryServices.DirectorySearcher($root)
    $searcher.filter = "(&(objectClass=user)(sAMAccountName= $SAMAccountName))"
    $user = $searcher.findall()

    $User = [ADSI]$user[0].path

    # get domain password policy (max pw age)
    $D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    $Domain = [ADSI]"LDAP://$D"
    $MPA = $Domain.maxPwdAge.Value

    # get Int64 (100-nanosecond intervals).
    $lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)

    # get days
    $MaxPwdAge = -$lngMaxPwdAge/(600000000 * 1440)
    "Domain Max Password Age (days): " + '{0:n3}' -f $MaxPwdAge

    # check if password can expire or not
    $UAC = $User.userAccountControl
    $blnPwdExpires = -not (($UAC.Item(0) -band 64) -or ($UAC.Item(0) -band 65536))
    "Can Password Expire?: $blnPwdExpires"

    # when was pw last set?
    $PLS = $User.pwdLastSet.Value

    # convert to int64
    $lngValue = $User.ConvertLargeIntegerToInt64($PLS)

    # convert to ad date
    $Date = [DateTime]$lngValue
    if ($Date -eq 0) {
    $PwdLastSet = ""
    }
    else {
    $PwdLastSet = $Date.AddYears(1600).ToLocalTime()
    }
    "Password Last Set (local time): $PwdLastSet"

    # is the password expired?
    $blnExpired = $False
    $Now = Get-Date
    if ($blnPwdExpires) {
    if ($Date -eq 0) {
    $blnExpired = $True
    }
    else
    {
    if ($PwdLastSet.AddDays($MaxPwdAge) -le $Now) {
    $blnExpired = $True
    }
    }
    }

    "Password Expired? $blnExpired"

  • #10954

    Dave Wyatt
    Moderator

    You'd need to get rid of the Param block (or at least make the $SamAccountName parameter optional, defaulting to '*'), potentially modify $searcher.Filter (if you're not going to filter on samAccountName at all), and modify the rest of the code to loop over the collection returned by $searcher.FindAll(), instead of only outputting information for a single record at index 0.

    I would also recommend constructing objects (which can then be formatted by Format-Table or Format-List), instead of outputting a bunch of strings (such as "Password Expired? $blnExpired" ). You'd need to include a property in each object indicating which user account the information refers to.

  • #10956

    Markus Jones
    Participant

    I am new to poweshell scripting like this. Could you give more details on how this script should look? Thanks

You must be logged in to reply to this topic.