Author Posts

January 1, 2012 at 12:00 am

by Christopher.Ellis at 2013-02-26 10:06:03

I want to query Active directory for all users belonging to active directory group Non_company_Employees (255 users out of 5423) and passwordexpired equal true. I used get-aduser for all, would i use get-adgroupmember with the command get-aduser? The comman below is what I composed thus far

get-aduser -filter * -properties passwordexpired | where-object {$_.PasswordExpired -eq 'True'}

How do I futher filter the command to query only Non_Company_Employees?

Thank you

by kittH at 2013-02-26 11:05:45

There might be a simpler way, but this should work:

import-module activedirectory
$Expiredusers = @()
$GroupMembers = Get-ADGroupMember 'GroupName'
Foreach ($Member in $GroupMembers)
{
If((Get-ADUser $Member -Properties PasswordExpired).PasswordExpired)
{
$ExpiredUsers += $Member
}
}

You will end up with the array $ExpiredUsers filled with all the user objects that were in the group and had expired passwords. You can do whatever you want with it from there, write to the screen or export to a txt file or CSV, or perform some additional logic.

by Christopher.Ellis at 2013-02-26 11:32:09

I modified the code accordingly in windows ps iSE Ithen ran the code went to the variable drive, I only had one user, the outcome is wrong, I know there is more than one user within that condition.... I would rather not use ISE adn run it as one continous line in powershell, any other suggestions, from anyone, would be appreciated, I would rather learn powershell via command line and not ISE. once again thank you

by Christopher.Ellis at 2013-02-26 11:52:38

I tried the command below, Pressed enter, powershell process about 15 seconds and returned no error, I then ran it again with | ft Name, PasswordExpired, no values returned, no errors, what is powershell doing when no errors occur

PS C:\> get-adgroupmember 'non_cbs_employees' | where-object {$_.PasswordExpired -eq 'True'}
PS C:\> get-adgroupmember 'non_cbs_employees' | where-object {$_.PasswordExpired -eq 'True'} | ft Name, PasswordExpired
PS C:\>

by kittH at 2013-02-26 11:53:07

That works fine for me, sorry if it didnt work for you. I like to break it out so it's easier to understand what's going on, but here it is as a one-liner:

Get-ADGroupMember 'GroupName' | Get-ADUser -Properties PasswordExpired | ? {$_.PasswordExpired}

Edit: You can see that you were missing the step where you ran "Get-ADUser" to get the object that had a "PasswordExpired" property.

The results of "Get-ADGroupMember" do not contain a property "PasswordExpired" so none of the objects would have that being true, so showing no results was the correct output.

by Christopher.Ellis at 2013-02-26 12:14:03

kittH — THANK YOU — this worked !!!