Functions/Get-ADPasswordExpireList.ps1
|
<#
.SYNOPSIS List Users from Active Directory with expired or too old passwords .DESCRIPTION Shows all users from Active Directory where the password age passes a threshhold. .PARAMETER SearchBase OU Path to search for user accounts in ADDS .PARAMETER PreExpireDays Number of days before password expiration to include in result .PARAMETER ExcludeExpired Exclude already expired accounts .EXAMPLE Get-ADPasswordExpireList -SearchBase "OU=myCompany,DC=corp,DC=contoso,DC=com" Description ----------- Lists all users below the OU "OU=myCompany,DC=corp,DC=contoso,DC=com" where the password has already expired .EXAMPLE Get-ADPasswordExpireList -PreExpireDays 7 -ExcludeExpired Description ----------- Lists all users in ADDS where the password will expire in the next 7 days #> function Get-ADPasswordExpireList { [CmdletBinding()] Param ( [Parameter(Mandatory = $false, Position = 0)] [String]$SearchBase, [Parameter(Mandatory = $false, Position = 1)] [Int]$PreExpireDays = 0, [Parameter(Mandatory = $false, Position = 2)] [Switch][Bool]$ExcludeExpired ) Begin { Import-Module -Name ActiveDirectory $RootDSE = Get-ADRootDSE -Server (Get-ADDomain).DNSRoot if ($SearchBase.Length -eq 0) { $SearchBase = $RootDSE.defaultNamingContext.ToString() } $Users = Get-ADUser -Filter * -SearchBase $SearchBase -Properties pwdLastSet, title, department, mail, mobile $MaxPwdAgeDays = (Get-ADObject -Identity $RootDSE.defaultNamingContext -Properties maxPwdAge).maxPwdAge / -864000000000 $CurrentDate = Get-Date } Process { foreach ($User in $Users) { $PwdLastSetDate = [datetime]::FromFileTime($user.pwdLastSet) $PwdAge = ($CurrentDate - $PwdLastSetDate).Days if ($PwdAge -gt ($MaxPwdAgeDays - $PreExpireDays) -and $PwdAge -lt $MaxPwdAgeDays) { Write-Output -InputObject $User } elseif (!$ExcludeExpired -and $PwdAge -gt $maxPwdAgeDays) { Write-Output -InputObject $User } } } End { } } |