Apr 21 2021 10:32 AM
I am looking to see if someone can help or modify what is below to return me the value of active users in AD that have not changed passwords in last x amount of months.
I found this in a microsoft document and works well however brings in all users.
$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}
Any help is appreciated.
Apr 21 2021 10:56 PM
SolutionHi
This is a quick one.
$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '((PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)) -and ((UserAccountControl -eq 512) -or (UserAccountControl -eq 66048)) ' -Properties PasswordLastSet,LastLogonTimestamp,UserAccountControl | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}
The Key is with an AD attribute named UserAccountControl. if the value of this attribute was 512 this mean that the user is active
if the value was 66048 this mean that the user is active with password never expires.
Try it
If this answer help, please click on Best Respone.
Apr 22 2021 08:24 AM
Apr 21 2021 10:56 PM
SolutionHi
This is a quick one.
$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '((PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)) -and ((UserAccountControl -eq 512) -or (UserAccountControl -eq 66048)) ' -Properties PasswordLastSet,LastLogonTimestamp,UserAccountControl | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}
The Key is with an AD attribute named UserAccountControl. if the value of this attribute was 512 this mean that the user is active
if the value was 66048 this mean that the user is active with password never expires.
Try it
If this answer help, please click on Best Respone.