Search-ADUserWithExpiringPasswords

Gets Active Directory user accounts with passwords that are expiring in a given time period or by a specified time.

 
 
 
 
 
4 Star
(1)
Add to favorites
Active Directory
1/6/2010
E-mail Twitter del.icio.us Digg Facebook
  • Viewing the Data
    1 Posts | Last post April 02, 2013
    • After executing this script, how do I view the results?
      
      Here is an example of what I am seeing.
      
      PS C:\scripts> .\Search-ADUserWithExpiringPasswords.ps1 -TimeSpan "14" -properties emailaddress,title
       PS C:\scripts>
  • Adding a searchbase param
    1 Posts | Last post May 30, 2012
    • Upon further review, I changed the parameter to target the search on a particular OU to Searchbase so it matches the AD cmdlets.
      
      
      [CmdletBinding()] 
         Param (  
             [TimeSpan]$TimeSpan, 
             [DateTime]$DateTime, 
             [string[]]$Properties=$null, 
             [Switch]$EnabledAccountsOnly,
             [string[]]$Searchbase=$null  
         )  
          
          #check for Active-Directory Module, load it if its not present 
          if ((get-module | where { $_.Name -eq "ActiveDirectory"}) -eq $null) { 
              import-module ActiveDirectory; 
              #check that the import worked and throw exception if it didn't 
              if ((get-module | where { $_.Name -eq "ActiveDirectory"}) -eq $null) {throw "ActiveDirectory Module is required."} 
              } 
               
         
          if (($TimeSpan -eq $null) -and ($DateTime -eq $null)) { throw "Either TimeSpan or DateTime parameter must be specified"} 
          if ($DateTime -ne $null) { $TimeSpan = $DateTime.Subtract([datetime]::now) } 
       
          #Get the password age limit for the domain 
          $maxAge = (new-object System.TimeSpan((Get-ADObject (Get-ADRootDSE).defaultNamingContext -properties maxPwdAge).maxPwdAge)) 
       
          #calculate the expiration timefram (in windows file time) 
          $expireToday = (([datetime]::Now).Date).Add($maxAge).tofileTime() 
          $expireFuture = (([datetime]::Now).Date).Add($maxAge.Add($TimeSpan)).tofileTime() 
      
          $filter = "(pwdlastset -gt $expireToday ) -and (pwdlastset -lt $expireFuture) " 
          if ($EnabledAccountsOnly) { $filter += "-and (-not (userAccountControl -band 0x2))" } 
      
          $cmdparms = @{filter = $filter}
          $cmdparms.resultSetSize= $null
          #write-host $Searchbase
          if ($Searchbase -ne $null) {
              $cmdparms.searchbase = [string]$Searchbase
              }
      
          if ($properties -ne $null) { 
              $cmdparms.properties = $properties
          }
          
          Get-ADUser @cmdparms
      }
      
  • Mods
    1 Posts | Last post April 04, 2012
    • Steve, great script. I added the Target Param to focus the activity on a particular OU. I also changed the code that builds the parameters for get-aduser.  Some help mods are necessary but this is just the code for brevity. Take a look:
      
      [CmdletBinding()] 
         Param (  
             [TimeSpan]$TimeSpan, 
             [DateTime]$DateTime, 
             [string[]]$Properties=$null, 
             [Switch]$EnabledAccountsOnly,
             [string[]]$Target=$null  
         )  
          
          #check for Active-Directory Module, load it if its not present 
          if ((get-module | where { $_.Name -eq "ActiveDirectory"}) -eq $null) { 
              import-module ActiveDirectory; 
              #check that the import worked and throw exception if it didn't 
              if ((get-module | where { $_.Name -eq "ActiveDirectory"}) -eq $null) {throw "ActiveDirectory Module is required."} 
              } 
               
         
          if (($TimeSpan -eq $null) -and ($DateTime -eq $null)) { throw "Either TimeSpan or DateTime parameter must be specified"} 
          if ($DateTime -ne $null) { $TimeSpan = $DateTime.Subtract([datetime]::now) } 
       
          #Get the password age limit for the domain 
          $maxAge = (new-object System.TimeSpan((Get-ADObject (Get-ADRootDSE).defaultNamingContext -properties maxPwdAge).maxPwdAge)) 
       
          #calculate the expiration timefram (in windows file time) 
          $expireToday = (([datetime]::Now).Date).Add($maxAge).tofileTime() 
          $expireFuture = (([datetime]::Now).Date).Add($maxAge.Add($TimeSpan)).tofileTime() 
      
          $filter = "(pwdlastset -gt $expireToday ) -and (pwdlastset -lt $expireFuture) " 
          if ($EnabledAccountsOnly) { $filter += "-and (-not (userAccountControl -band 0x2))" } 
      
          $cmdparms = @{filter = $filter}
          $cmdparms.resultSetSize= $null
          #write-host $target
          if ($Target -ne $null) {
              $cmdparms.searchbase = [string]$Target
              }
      
          if ($properties -ne $null) { 
              $cmdparms.properties = $properties
          }
          
          Get-ADUser @cmdparms
      }