Reputation: 347
Get-ADUser - searching for expired account. Using variables in command
I am currently working on a Powershell GUI script to help my team easier find accounts with expired passwords, disabled accounts etc and to output these to a CSV. It revolves almost entirely around the "Get-ADUser" command. So far almost everything has worked, bar finding accounts with expired passwords.
I've researched this a lot already but there seems to be no easy way of finding expired accounts using Get-ADUser. I know I can use Search-ADAccount instead but it would be very awkward to do so (as I would need to re-write a lot of code).
Get-Aduser -Properties * -Filter {PasswordExpired -eq $true} just draws a blank.
I've found a partial solution over at https://serverfault.com/questions/805526/get-aduser-password-expired-filter-not-working-correctly/805611
For example,
Get-ADUser -Properties * -Filter * | ? {$_.PasswordExpired -eq $True -and $_.Enabled -eq $true} | Select-Object name, enabled | Export-Csv "C:\report.csv" -NoTypeInformation
works just fine but if I try to assign the 'middle' of the command i.e
{$_.PasswordExpired -eq $True -and $_.Enabled -eq $true}
to a variable and then substitute it into the command I either get an error, a list of all those in my AD or nobody at all. The rational for substituting in a variable is to allow for the possible account statuses (that the user can choose from by selecting a radio button).
I've tried the various permutations of double and single quotes, including and not including curly brackets etc but Powershell will not give me a break!
Thanks!
Upvotes: 1
Views: 9301
Answers (2)
Reputation: 61068
The Get-ADUser cmdlet exposes the PasswordExpired extended property, which is a boolean indicating if the password is expired. It is based on the msDS-User-Account-Control-Computed attribute. However, you cannot filter with this property.
This would mean you can check the UF_PASSWORD_EXPIRED bit on that property:
Get-ADUser -Filter "Enabled -eq 'True'" -Properties 'msDS-User-Account-Control-Computed' |
Where-Object {($_.'msDS-User-Account-Control-Computed' -band 0x800000) -eq 0x800000} | # UF_PASSWORD_EXPIRED --> 0x800000 = 8388608
Select-Object Name, Enabled | Export-Csv "C:\report.csv" -NoTypeInformation
You can speed up the above by extending the filter to rule out users with PasswordNeverExpires and PasswordNotRequired both $false:
$filter = "Enabled -eq 'True' -and PasswordNeverExpires -eq 'False' -and PasswordNotRequired -eq 'False'"
Get-ADUser -Filter $filter -Properties PasswordNeverExpires, PasswordNotRequired, 'msDS-User-Account-Control-Computed' |
Where-Object {($_.'msDS-User-Account-Control-Computed' -band 0x800000) -eq 0x800000} | # UF_PASSWORD_EXPIRED --> 0x800000 = 8388608
Select-Object Name, Enabled | Export-Csv "C:\report.csv" -NoTypeInformation
Upvotes: 2
Reputation: 347
I reckon I've found a solution over on Stack Exchange.
Early tests suggest it works.
Upvotes: 0
Related Questions
- Get-ADUser Filter AccountExpirationDate
- Windows Command To List Expired User Accounts Only
- Find Active Accounts No Longer Employed
- Powershell find users expiring in 7 days
- Get-ADUser AccountExpirationDate
- Use Search-ADAccount to find all accounts with Account Expiration Date Not Set
- Need a way to extract and compare the AD Account expiry date
- Powershell script for listing specific expiring accounts
- Search-ADAccount for user accounts with expiring passwords
- Powershell-search for users whos account expires with the office information