Dear reader,
How many times have you been confronted with bad passwords, and accounts set to never expire?
How many times you were asked to audit and Active Directory of a client ora new organization you just joined?
How about users that “forgot” they changed their own password?
Well fear no more, this post is for you!
Open your PowerShell and let’s get started.
Scenario 1 – “I can’t login! My password isn’t working!”
For this scenario be prepared to quick draw your PowerShell Fu and type the following command:
Get-ADUser -identity username -properties PasswordLastSet, PasswordExpired
This will quickly tell you if the password is expired or if it was recently changed and forgotten!
Scenario 2 – (Angry Boss/Security guy) Why is this user account password not expiring? How many of these exist?
This is usually B A D!
But worry not. hopefully you are proactively workign on this (if your not, get on it) and you have at hand the latest list, obtained with:
Get-ADUser -Filter * -Properties PasswordLastSet, PasswordExpired, PasswordNeverExpires | Sort-Object Name | Select-Object Name, PasswordLastSet, PasswordExpired, PasswordNeverExpires | Export-Csv -Path <LocalPath><filename>.csv
And you are done. With this list, you can identify all users with passwords not expiring and with the added bonus of understanding if the current passwords are expired or not.
(Pro Tip: Why the PasswordExpired and PasswordLastSet? Well, as soon as you start updating the PasswordNeverExpires to False, users will start being asked to change their passwords, and that can cause a lot of havoc. Those two fields will help with the correction plan for all those accounts.)
And there you have it. You can start owning your Active Directory.