• JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator
  • JoomlaWorks Simple Image Rotator

Subscribe by Email

Your email:

Browse by Tag

Follow Us

Lucid Blog

Current Articles | RSS Feed RSS Feed

PowerShell Script - Active Directory Password Expiration Report

Posted by derrick jones on Mon, Feb 28, 2011
  
  
  
  

It's not always easy to monitor changes to Active Directory and   generate useful reports. Powershell can be a great help. Unlike Vbscript, Powershell was designed specifically with network and system administrators in mind. Because of this focus administrators can accomplish tasks in Powershell with a fraction of the code it takes to perform the same tasks with vbscript. For example, remember the procedure for writing to a .csv file?

objfile.writeline variable1 & "," & variable2 & "," variable3 & "," variable4

Blah blah blah. All of those commas (",") just to get a properly formatted .csv file. Then we still have to go back and add the column headings. What a pain. Now let's do the same thing in Powershell.

  active-directory-assessment-guide

Export-Csv -Path

Powershell includes a cmdlet specifically for handling .csv files. Combining this built in cmdlet with the QADUser cmdlet from Quest Software we can create  a simple Active Directory password expiration report.  Here's the code:

The first line is the path to your .csv file. It can be a local or network location.

$strPath = "c:\scripts\myreport.csv"

Use the next 4 lines to get the current domain and filter on the User object.

$dom=[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$root = $dom.GetDirectoryEntry()
$search = [System.DirectoryServices.DirectorySearcher]$root
$search.Filter = "(objectClass=User)"

The next line uses QADUser cmdlet to get all users except those with the Password Never Expires flag set.

Get-QADUser -IncludeAllProperties | where {($_.PasswordNeverExpires -eq $False)} |

Use the next line to choose which AD attributes to include in the report. Each attribute will create a column heading with the same name.

Select-Object sn, givenanme, SamAccountName, passwordexpires |

Finally, export the data.

Export-Csv -Path $strPath

That's it! A simple Powershell script Active Directory password expiration report. Now compare this code to this and this. See my point? As with all technology there are several ways to skin a cat. If you have some code that works better than what we've provided please share it with us in the comments so we can all benefit from your knowledge!

Download the full code!

See Also: DIY Active Directory Assessment

Tags: ,

Comments

Don't you need to add an underscore after the '$' in this line? 
 
Get-QADUser -IncludeAllProperties | where {($.PasswordNeverExpires -eq $False)} |
Posted @ Thursday, June 09, 2011 12:23 PM by Doug
Good catch Doug and thanks! That was a typo that we didn't catch before. We corrected the article. Be sure to visit often and don't hesitate to pass on any useful knowledge you have!
Posted @ Thursday, June 09, 2011 12:48 PM by derrick jones
Nice script. Can you elaborate on how 'passwordexpires' is computed? For example in our environment we have domain password policies and Password Setting Objects (PSO). Depending on what type of account you are will determin if your account recieves policy from the domain or through a PSO.
Posted @ Friday, February 10, 2012 7:54 AM by Ryan
1. Those 4 lines to get the current domain are completely redundant. Get-QADUser does all that for you. This is pasted from a script that uses .NET objects? It's very clear: you populate some variables and then never use them! This technique is useful when you don't have the Quest snap-in, and you could continue with "$search.findall() | foreach ..." 
 
 
 
2. Why would you use '-IncludeAllProperties'? This puts a heavy processing load that is not needed since you only want 4 properties. 
 
 
 
3. There is a '-passwordneverexpires' switch. That should work a lot faster than querying all instances and filtering the unwanted out by where-object. 
 
 
 
4. another typo: it's not givenanme but givenname. 
 
 
 
So, to "Simplify your complex IT operations": 
 
Get-QADUser -PasswordNeverExpires:$true | Select sn,givenname,samaccountname,passwordexpires | Export-csv C:\scripts\passwordexpiresreport.csv -NoTypeInformation
Posted @ Monday, February 13, 2012 2:42 AM by Klaas
Klaas, 
 
Wow, this script has been downloaded over 2000 times from this website and you are the first to point these things out. So, thanks a bunch for sharing! As far as some of the things you point out, I included a bunch of stuff not necessary for this script itself just incase someone wants to use it for other purposes with other AD objects. I am merely illustrating how something can be done, not necessarily that this is the only way or even the best way. How many ways are there to skin a cat right? 
 
Oh, and thanks for the line at the end about helping me "simplify my complex IT operations". Very clever. Please come again and share your knowledge with us.
Posted @ Monday, February 13, 2012 10:51 AM by
Ryan, 
 
Thanks for stopping by bud. I hope you find many uses for the script. The guys over at WebActiveDirectory have a nice post on how expirations are calculated. Take a look here: http://blog.webactivedirectory.com/2011/04/21/how-active-directory-calculates-account-password-expiration-dates/
Posted @ Monday, February 13, 2012 10:59 AM by derrick jones
Comments have been closed for this article.

active-directory-assessment-guide

Most Popular Posts