{"id":54873,"date":"2008-11-18T11:23:00","date_gmt":"2008-11-18T11:23:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2008\/11\/18\/hey-scripting-guy-how-can-i-find-expiring-passwords\/"},"modified":"2008-11-18T11:23:00","modified_gmt":"2008-11-18T11:23:00","slug":"hey-scripting-guy-how-can-i-find-expiring-passwords","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-find-expiring-passwords\/","title":{"rendered":"Hey, Scripting Guy! How Can I Find Expiring Passwords?"},"content":{"rendered":"

\"Hey, <\/h2>\n

Hey, Scripting Guy! The pointy headed boss (PHB) is at it again. He has decided he does not like it when users do not change their password when prompted. As a result, he wants me to produce a report once a week of all the users who will have to change their password next week. Please tell me it can\u2019t be done so I can get him off my back. I looked in Active Directory Domain Services Users and Computers, but I do not see this listed anywhere.<\/p>\n

– AM<\/p>\n

\"Spacer\"\"Hey, <\/p>\n

Hi AM,<\/p>\n

Sometimes it is just better to go with the flow. The astute network administrator can always make things seem to work out for the best when confronted with a PHB. I dare not ask if he wants you to personally call each user and help them in picking out good passwords, and stand by just in case they get it wrong or lock themselves out. Because everyone knows that network administrators really do not do all that much anyway (according to PHB-think), maybe you should suggest this to your boss. Maybe the entire IT department can take each Tuesday\u2014instead of doing useless things like testing patches\u2014to help the users with their passwords. Or maybe not! Sorry, having been there, done that, and worn the scars, I am still a bit sensitive. Why do you think I run for an hour each day? Here is a better suggestion, which I have made before and will make again. Tell the PHB it will take you two days to retrieve the results. Run this script, and then go scuba diving. This view should give you some incentive:<\/p>\n

\"Image <\/p>\n

 <\/p>\n

Here is the ExpiringUserPasswords.ps1<\/b> script. If you want to leave now and get some dives in before dinner, we’ll understand:<\/p>\n

$MaxPasswordAge = 30\n$userCount = 0\n$adsiSearcher = new-object DirectoryServices.DirectorySearcher(\"LDAP:\/\/rootdse\")\n$adsiSearcher.filter = \"objectCategory=user\"\n$adsiSearcher.findall() | \nForeach-Object -ErrorAction \"silentlycontinue\" `\n-Begin { \"The following users need to set their  password\" } `\n-Process `\n{ \n $pwdChanged = ([adsi]$_.path).psbase.InvokeGet(\"PasswordLastChanged\")\n If( ((get-date) - $pwdChanged).days -ge $MaxPasswordAge)\n   { \n    ([adsi]$_.path).name \n    $userCount ++\n   } #end if date\n} `\n-end { \"A total of $userCount users\" }\n<\/pre>\n
The first thing we do in the ExpiringUserPasswords.ps1<\/b> script is create a couple of variables. The first variable is $MaxPasswordAge<\/b> which we set to 30. You would set this value to whatever your password age policy is for the domain minus the amount of notification you wish to give the users. The next variable is a counter variable we will use to tell us how many users have passwords coming up for renewal. Remember in Windows PowerShell that all variables begin with the dollar sign. This is seen here. <\/p>\n
$MaxPasswordAge = 30\n$userCount = 0\n<\/pre>\n
Now we need to create the DirectoryServices.DirectorySearcher<\/b> object. You will see the DirectorySearcher<\/b> class come up again this week. This .NET Framework class specializes in searching Active Directory Domain Services (AD DS). To create the class, we use the New-Object<\/b> cmdlet to give it the name of the class, and tell it where we wish to connect. We wish to use the LDAP protocol, and connect to rootdse<\/b>. This allows you to run the script without having to worry about the domain name. We store the returned DirectorySearcher<\/b> object in the variable called $adsiSearcher<\/b>. This is shown here:<\/p>\n
$adsiSearcher = new-object DirectoryServices.DirectorySearcher(\"LDAP:\/\/rootdse\")<\/pre>\n
We create our filter. This filter is very similar to the ones you would have used in VBScript. As a good exercise, you may want to refer to some of the search AD DS<\/a> scripts from the Script Repository and adapt some of those search filters to this script. Our filter is nothing fancy; we simply choose the objectCategory<\/b> attribute from AD DS if the value of the attribute is equal to user<\/b>. Do not allow any spaces to slip in, or you will regret it. Big time. Trust me. The code is here:<\/p>\n
$adsiSearcher.filter = \"objectCategory=user\"<\/pre>\n
We then use the findall<\/b> method from the DirectorySearcher<\/b> object. We could have used other methods, such as findone<\/b>, but that is not as exciting as finding all the users. We pipeline the results of the method call as shown here: <\/p>\n
$adsiSearcher.findall() |<\/pre>\n
Now we cheat a little. Remember that magic phrase from VBScript days? You know what I am talking about: On Error Resume Next<\/b>. There was a reason for it hanging around the top of some scripts (such as they would not run otherwise.) Well, we are not cheating that much. The problem is that when you run this script without the -ErrorAction<\/b> “silentlycontinue” you are confronted by a bunch of red error messages. They are not related to the script itself, but are related to using the InvokeGet<\/b> method, which we will get to later. When you try to call the method on an empty attribute, it generates an error.<\/p>\n
Anyway, I spent way too much time looking at fish pictures from my dive vacation to the Little Cayman islands, and I did not have time to figure out how to trap the error. I justified it by realizing I need to tell my loyal readers they can specify the -ErrorAction<\/b> parameter on every single cmdlet. That is right, it is what is called a common parameter. It is commonly found on all the cmdlets. There are actually four levels you can specify for the ErrorAction<\/b>: continue<\/b>, silentlyContinue<\/b>, inquire<\/b>, and stop<\/b>. Continue<\/b> is the default action, which means the script will try to continue running, but it will let you know about the errors. SilentlyContinue<\/b> is the same as On Error Resume Next<\/b>. It is the “forgetaboutit” level. Or as my Australian buddies say (hi Brett, Jit, Chris, and Pete), “no worries mate”: <\/p>\n
Foreach-Object -ErrorAction \"silentlycontinue\" `<\/pre>\n
We next specify the -Begin<\/b> parameter of the Foreach-Object<\/b> cmdlet. This section of code is only run one time. Here we use this occasion to print out our header message. Note the backtick, which is for line continuation. <\/p>\n
-Begin { \"The following users need to set their  password\" } `<\/pre>\n
The main part of the code occurs within the -Process<\/b> section of the Foreach-Object<\/b> cmdlet. The code here will run once for each item that comes across the pipeline. The object we get back from the DirectorySearcher<\/b> is a SearchResult<\/b> object which has a path property. We can use the path property to obtain a DirectoryEntry<\/b> class. What does this really mean? It means that the results from the search are pretty well useless for us except that we can get the path, and use it to connect to the actual object in AD DS. This is what we are doing with this code: [adsi]$_.path<\/b>. The $_<\/b> is an automatic variable that refers to the current object on the pipeline. Because it is an object, it has methods and properties. It is a SearchResult<\/b> object. It has a path property. We use the path property and feed it to the [adsi]<\/b> type accelerator. This will allow us to get a DirectoryEntry<\/b> class. We use the .psbase<\/b> to gain access to the base object, which has the InvokeGet<\/b> method. The InvokeGet<\/b> method is used to retrieve the PasswordLastChanged<\/b> property from AD DS. We store this value in the $pwdChanged<\/b> variable. This is seen here:<\/p>\n
-Process `\n{ \n $pwdChanged = ([adsi]$_.path).psbase.InvokeGet(\"PasswordLastChanged\")\n<\/pre>\n
Now we use the Get-Date<\/b> cmdlet to retrieve the current date and time. This actually returns a system.datetime<\/b> class. We subtract the $pwdChanged datetime<\/b> object from the current datetime<\/b>, and select only the days<\/b> property. If the number of days is greater than or equal to the value we set in the $maxPasswordAge<\/b> variable, we print out the name of the object and increment the value in the $userCount<\/b> variable by one. We do this by the convenient (if obscure) syntax of $userCount ++<\/b>, which means take the value stored in the $userCount<\/b> variable and increment it by one. This is seen here:<\/p>\n
If( ((get-date) - $pwdChanged).days -ge $MaxPasswordAge)\n   { \n    ([adsi]$_.path).name \n    $userCount ++\n   } #end if date\n} `\n<\/pre>\n
The total number of users that need to change their password is stored in the $userCount<\/b> variable. We print this out after everything else is done. The -end<\/b> parameter of the Foreach-Object<\/b> cmdlet allows us to run post processing if we wish. This is seen here:<\/p>\n
-end { \"A total of $userCount users\" }<\/pre>\n
Well, AM, that is about it. See you tomorrow.<\/p>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/b><\/b><\/span><\/font><\/p>\n
<\/b><\/font><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! The pointy headed boss (PHB) is at it again. He has decided he does not like it when users do not change their password when prompted. As a result, he wants me to produce a report once a week of all the users who will have to change their password next week. […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,8,20,45],"class_list":["post-54873","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-searching-active-directory","tag-user-accounts","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! The pointy headed boss (PHB) is at it again. He has decided he does not like it when users do not change their password when prompted. As a result, he wants me to produce a report once a week of all the users who will have to change their password next week. […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=54873"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/54873\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=54873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=54873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=54873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}