CODEWITHSUNDEEP
powershellactive-directory
Hugo Van Doorselaere
Hugo Van Doorselaere

Reputation: 41

How to find AD users where no password is set?

How can I find AD-users where the password has not been set?

Some backgrund information:

We have a script (written in C#) that creates AD users and sets a default password. The user is prompted to change this password at the first attempt to login.

The script runs fine but recently we discoverd that the password was not set in a few cases. And it keeps happening now and then. We are investigating this issue at the moment.

Now I wan't to find the users where the default password hasn't been set by the script in order to set the default password manually where required.

When I look at the AD attributes of a user I can't see an obvious way to find these users without (default) password set.

The pwdLastSet is 0x0 when the user is created form the script and the password has been set with succes (tested). So how to know when the password hasn't been set?

Upvotes: 4

Views: 6009

Answers (3)

Theo
Theo

Reputation: 61068

It IS possible to have users in AD that have a blank password, despite activated password policy. This is due to the PASSWD_NOTREQD flag in the userAccountControl property of a user. The value for this PASSWD_NOTREQD flag is 32.

To check for enabled users that have this flag (and therefore don't need a password) you can do

$noPwdRequired = Get-ADUser -LDAPFilter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=544))"
foreach($user in $noPwdRequired ){
     Write-Host $user.sAMAccountName  # or displayName or whatever  you want to identify the user
}

Normally, a user object has the default value of 512 (NORMAL_ACCOUNT). With the PASSWD_NOTREQD they will have a value of 544

Use value 546 to find disabled accounts that also has this flag set.

You can update this for any of those found users doing something like

$noPwdRequired = Get-ADUser -LDAPFilter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=544))"
foreach($user in $noPwdRequired ){
     Set-ADAccountControl $user -PasswordNotRequired $false
}

Upvotes: 0

Drew
Drew

Reputation: 4020

What you are after is Get-ADReplicationAttributeMetadata.

Give this one a go, you should be able to set it to what you need. It is fairly fast so you can add results to a hashtable and pump that out when done. I have this pumped into a nice little function with $Username and $ServerName as params.

The main attributes you are after are pwdLastSet, ntPwdHistory and lastLogonTimestamp.

Get-ADuser $username |
Get-ADReplicationAttributeMetadata -Server $ServerName |
Where-Object Version -GT 1 | Select AttributeName, LastOriginatingChangeTime, Version | OGV

The version will tell you how many times it has been changed while the LastOriginatingChangeTime will tell you when. If you do a Select * and remove the Where-Object Version -GT 1 you can see the other data it pulls.

EDIT: Looks like Get-ADReplicationAttributeMetadata is not available on version 2.

PSVersion Get-ADReplicationAttributeMetadata
--------- ----------------------------------
        2                              False
        3                               True
        4                               True
        5                               True

Upvotes: 4

TobyU
TobyU

Reputation: 3908

The PasswordLastSet attribut could do it. It saves the date when the password was set the last time.

Get-ADUser -Filter * -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null }

Upvotes: 1

Related Questions