i work in a multi domain environment. each domain has different password expiration rules. unfortunattely there is no notification system for the password expiration, so i have to check manually how long my passwords are valid.
for this, i wrote this PowerShell function, which does work without the use of any additional module:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 |
function get-UserPwdInfo { Param ( $UserDN ) $ACCOUNTDISABLE = 0x000002 $DONT_EXPIRE_PASSWORD = 0x010000 $PASSWORD_EXPIRED = 0x800000 if ( [string]::IsNullOrEmpty( $UserDN ) ) { $SysInfo = New-Object -ComObject "ADSystemInfo" $UserDN = $SysInfo.GetType().InvokeMember("UserName", "GetProperty", $Null, $SysInfo, $Null) } $User = [ADSI]"LDAP://$UserDN" $searcher=New-Object DirectoryServices.DirectorySearcher $searcher.Filter="(&(distinguishedName=$($User.distinguishedName)))" $results=$searcher.findone() $PwdLastSet = [datetime]::fromfiletime($results.properties.pwdlastset[0]) $DomainName = ( $UserDN -split ',' | Where-Object { $_ -match 'DC' } | ForEach-Object { $_ -replace 'DC=', '' } ) -join '.' [ADSI]$domain = "WinNT://$( $DomainName )" $MaxPasswordAge = $domain.MaxPasswordAge.Value New-Object -TypeName PSObject -Property @{ Domain = $domain.Name.ToString() UserDisplayName = $results.Properties.displayname[0].ToString() UserDistinguishedName = $results.Properties.distinguishedname[0].ToString() userPrincipalName = $User.userPrincipalName.ToString() sAMAccountName = $user.sAMAccountName.ToString() Enabled = ( -not [bool]($results.Properties.useraccountcontrol[0] -band $ACCOUNTDISABLE ) ) PasswordNeverExpires = ( [bool]($results.Properties.useraccountcontrol[0] -band $DONT_EXPIRE_PASSWORD ) ) PasswordExpired = ( [bool]($results.Properties.useraccountcontrol[0] -band $PASSWORD_EXPIRED ) ) MaxPasswordAge = $domain.MaxPasswordAge.Value / 3600 / 24 MinPasswordAge = $domain.MinPasswordAge.Value / 3600 / 24 LastPasswordSet = $PwdLastSet CurrentPasswordAge = ( New-TimeSpan -Start $PwdLastSet -End ( Get-Date ) ) PasswordExpiresOn = $PwdLastSet.AddSeconds( $MaxPasswordAge ) PasswordExpiresIn = ( New-TimeSpan -Start ( Get-Date ) -End $PwdLastSet.AddSeconds( $MaxPasswordAge ) ) } | Select-Object Domain, UserDisplayName, UserDistinguishedName, userPrincipalName, sAMAccountName, Enabled, PasswordNeverExpires, PasswordExpired, MaxPasswordAge, MinPasswordAge, LastPasswordSet, CurrentPasswordAge, PasswordExpiresOn, PasswordExpiresIn } $UserPwdInfo = get-UserPwdInfo $UserPwdInfo |
the result of this script looks like this:
