Link to home
Start Free TrialLog in
Avatar of bsharath
bsharathFlag for India

asked on

Powershell Script to query a OU with users and update the Last password reset date and Last used date.

Hi,

Powershell Script to query a OU with users and update the Last password reset date and Last used date.
Like

(Password reset : 10 days) (Last logged in : 5 days)

Regards
sharath
Avatar of Meir Rivkin
Meir Rivkin
Flag of Israel image
change $selector.SearchRoot to your root OU
cls
# Create a selector and start searching from the Root of AD
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = "LDAP://cn=users,DC=soap,DC=com"
# Filter the users with -like "CN=Person*". Note the ForEach loop
$adobj= $selector.findall() | where {
$_.properties.objectcategory -like "CN=Person*"
}
foreach ($person in $adobj)
{
$prop=$person.properties
$username=$($prop.cn)
Get-QADComputer -ComputerRole DomainController | foreach {(Get-QADUser -Service $_.Name -SamAccountName $username) | select DisplayName, LastLogon, PasswordLastSet } | sort DisplayName
}

Open in new window

Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Remember that lastLogon is not replicated. If accuracy is important then all DCs in the domain must be queried.

PasswordLastSet is replicated and isn't a problem.

Chris
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

You wanted to write that to the description?

The SeachRoot on the third line defines the accounts it looks for. And -Enabled tells it only to look at enabled user accounts.

Chris
$Users = @{}
Get-QADComputer -ComputerRole DomainController | ForEach-Object {
  Get-QADUser -SearchRoot "domain.com/Offices" -Enabled -Service $_.Name -SizeLimit 0 | `
    Select-Object DN, LastLogon, PasswordLastSet | ForEach-Object { 
      If ($Users.$($_.DN)) {
        $Users.$($_.DN) = $_ | Select-Object DN, PasswordLastSet, `
          @{n='LastLogon';e={ 
            If ($_.LastLogon -gt $Users.$($_.DN).LastLogon) { 
              $_.LastLogon 
            } Else { 
              $Users.$($_.DN).LastLogon 
            } }}
      } Else {
        $Users.Add($_.DN, $_)
      }
    }
}

$Users.Values | ForEach-Object {
  $PasswordReset = (New-TimeSpan $_.PasswordLastSet).Days
  $LastLogon = (New-TimeSpan $_.LastLogon).Days

  Set-QADUser $_.DN -Description "(Password reset : $PasswordReset days) (Last logged in : $LastLogon days)
}

Open in new window

Avatar of bsharath
bsharath
Flag of India image

ASKER

Thanks
If the root i want to scan is this. Should the line be as this

domain.com/Offices/China/Users

Should i mention the Dc's name?
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Yes for the root, and no for the DCs, the first line finds your DCs for you.

Chris
Avatar of bsharath
bsharath
Flag of India image

ASKER

I get this

Get-QADUser : Cannot resolve directory object for the given identity:
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Is it highlighting the search root there? As with the last one, I can't help you with paths within your own directory.

Chris
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Same as the other, hard-coded Domain Controller names.

Chris
$DomainControllers = "dc1", "dc2", "dc3", "dc4"

$Users = @{}
$DomainControllers | ForEach-Object {
  Get-QADUser -SearchRoot "domain.com/Offices" -Enabled -Service $_ -SizeLimit 0 | `
    Select-Object DN, LastLogon, PasswordLastSet | ForEach-Object { 
      If ($Users.$($_.DN)) {
        $Users.$($_.DN) = $_ | Select-Object DN, PasswordLastSet, `
          @{n='LastLogon';e={ 
            If ($_.LastLogon -gt $Users.$($_.DN).LastLogon) { 
              $_.LastLogon 
            } Else { 
              $Users.$($_.DN).LastLogon 
            } }}
      } Else {
        $Users.Add($_.DN, $_)
      }
    }
}

$Users.Values | ForEach-Object {
  $PasswordReset = (New-TimeSpan $_.PasswordLastSet).Days
  $LastLogon = (New-TimeSpan $_.LastLogon).Days

  Set-QADUser $_.DN -Description "(Password reset : $PasswordReset days) (Last logged in : $LastLogon days)
}

Open in new window

Avatar of bsharath
bsharath
Flag of India image

ASKER

I have 4 users in the OU and the script has been running from 20 Min and does not end.
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

I'll have to check it tomorrow then, I have nothing here I can test against.

Chris
ASKER CERTIFIED SOLUTION
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of bsharath
bsharath
Flag of India image

ASKER

Thanks
For few i get this

(Password reset : 8 days) (Last logged in : - days)
Does this mean the user never logged in?
Avatar of Chris Dent
Chris Dent
Flag of United Kingdom of Great Britain and Northern Ireland image

Yes, or rather, never logged into the DCs specified.

Chris