header image

Discovering users that must change their password

Posted by: | February 7, 2012 | No Comment |

Sometimes you may need to discover which users have the setting to  change their password at the next logon activated

$ou = "OU=England,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
Get-ADUser -Filter {pwdLastSet -eq 0} |             
Format-Table Name, DistinguishedName            
            
            
"`nAD provider"            
Get-ChildItem -Filter "(&(objectclass=user)(objectcategory=user)(pwdLastSet=0))" `
 -Path Ad:\"DC=Manticore,DC=org" -Recurse |            
Format-Table Name, DistinguishedName            
            
            
"`nQuest"            
Get-QADUser -LdapFilter "(pwdLastSet=0)" |            
Format-Table Name, DN            
            
"`nScript"            
$root = [ADSI]""            
$search = [adsisearcher]$root            
$search.Filter = "(&(objectclass=user)(objectcategory=user)(pwdLastSet=0))"            
$search.SizeLimit = 3000            
$results = $search.FindAll()            
            
foreach ($result in $results){            
    $result.Properties |             
    select @{N="Name"; E={$_.name}}, @{N="DistinguishedName"; E={$_.distinguishedname}}            
}

We are looking for users where the pwdLastSet attribute is set to 0

In the Microsoft cmdlets we can use a Filter with PowerShell syntax or an LDAP filter. The Quest cmdlets only have an LDAP filter. I have shown one example of each. The LDAP filter could be used on the Microsoft cmdlet

More on filters and LDAP filters here

 http://msmvps.com/blogs/richardsiddaway/archive/2012/01/05/ad-cmdlets-and-filters.aspx

under: PowerShell and Active Directory