Powershell Script to query a OU with users and update the Last password reset date and Last used date.

bsharath
bsharath used Ask the Experts™
on
Hi,

Powershell Script to query a OU with users and update the Last password reset date and Last used date.
Like

(Password reset : 10 days) (Last logged in : 5 days)

Regards
sharath
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Meir RivkinFull stack Software Engineer

Commented:
change $selector.SearchRoot to your root OU
cls
# Create a selector and start searching from the Root of AD
$selector = New-Object DirectoryServices.DirectorySearcher
$selector.SearchRoot = "LDAP://cn=users,DC=soap,DC=com"
# Filter the users with -like "CN=Person*". Note the ForEach loop
$adobj= $selector.findall() | where {
$_.properties.objectcategory -like "CN=Person*"
}
foreach ($person in $adobj)
{
$prop=$person.properties
$username=$($prop.cn)
Get-QADComputer -ComputerRole DomainController | foreach {(Get-QADUser -Service $_.Name -SamAccountName $username) | select DisplayName, LastLogon, PasswordLastSet } | sort DisplayName
}

Open in new window

Chris DentPowerShell Developer
Top Expert 2010

Commented:

Remember that lastLogon is not replicated. If accuracy is important then all DCs in the domain must be queried.

PasswordLastSet is replicated and isn't a problem.

Chris
Chris DentPowerShell Developer
Top Expert 2010

Commented:

You wanted to write that to the description?

The SeachRoot on the third line defines the accounts it looks for. And -Enabled tells it only to look at enabled user accounts.

Chris
$Users = @{}
Get-QADComputer -ComputerRole DomainController | ForEach-Object {
  Get-QADUser -SearchRoot "domain.com/Offices" -Enabled -Service $_.Name -SizeLimit 0 | `
    Select-Object DN, LastLogon, PasswordLastSet | ForEach-Object { 
      If ($Users.$($_.DN)) {
        $Users.$($_.DN) = $_ | Select-Object DN, PasswordLastSet, `
          @{n='LastLogon';e={ 
            If ($_.LastLogon -gt $Users.$($_.DN).LastLogon) { 
              $_.LastLogon 
            } Else { 
              $Users.$($_.DN).LastLogon 
            } }}
      } Else {
        $Users.Add($_.DN, $_)
      }
    }
}

$Users.Values | ForEach-Object {
  $PasswordReset = (New-TimeSpan $_.PasswordLastSet).Days
  $LastLogon = (New-TimeSpan $_.LastLogon).Days

  Set-QADUser $_.DN -Description "(Password reset : $PasswordReset days) (Last logged in : $LastLogon days)
}

Open in new window

Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

Author

Commented:
Thanks
If the root i want to scan is this. Should the line be as this

domain.com/Offices/China/Users

Should i mention the Dc's name?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Yes for the root, and no for the DCs, the first line finds your DCs for you.

Chris

Author

Commented:
I get this

Get-QADUser : Cannot resolve directory object for the given identity:
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Is it highlighting the search root there? As with the last one, I can't help you with paths within your own directory.

Chris
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Same as the other, hard-coded Domain Controller names.

Chris
$DomainControllers = "dc1", "dc2", "dc3", "dc4"

$Users = @{}
$DomainControllers | ForEach-Object {
  Get-QADUser -SearchRoot "domain.com/Offices" -Enabled -Service $_ -SizeLimit 0 | `
    Select-Object DN, LastLogon, PasswordLastSet | ForEach-Object { 
      If ($Users.$($_.DN)) {
        $Users.$($_.DN) = $_ | Select-Object DN, PasswordLastSet, `
          @{n='LastLogon';e={ 
            If ($_.LastLogon -gt $Users.$($_.DN).LastLogon) { 
              $_.LastLogon 
            } Else { 
              $Users.$($_.DN).LastLogon 
            } }}
      } Else {
        $Users.Add($_.DN, $_)
      }
    }
}

$Users.Values | ForEach-Object {
  $PasswordReset = (New-TimeSpan $_.PasswordLastSet).Days
  $LastLogon = (New-TimeSpan $_.LastLogon).Days

  Set-QADUser $_.DN -Description "(Password reset : $PasswordReset days) (Last logged in : $LastLogon days)
}

Open in new window

Author

Commented:
I have 4 users in the OU and the script has been running from 20 Min and does not end.
Chris DentPowerShell Developer
Top Expert 2010

Commented:

I'll have to check it tomorrow then, I have nothing here I can test against.

Chris
PowerShell Developer
Top Expert 2010
Commented:

Fixed :)

Chris
$DomainControllers = "dc1", "dc2", "dc3", "dc4"

$Users = @{}
$DomainControllers | ForEach-Object {
  Get-QADUser -SearchRoot "domain.com/Offices" -Enabled -Service $_ -SizeLimit 0 | `
    Select-Object DN, LastLogon, PasswordLastSet | ForEach-Object { 
      If ($Users.$($_.DN)) {
        $Users.$($_.DN) = $_ | Select-Object DN, PasswordLastSet, `
          @{n='LastLogon';e={ 
            If ($_.LastLogon -gt $Users.$($_.DN).LastLogon) { 
              $_.LastLogon 
            } Else { 
              $Users.$($_.DN).LastLogon 
            } }}
      } Else {
        $Users.Add($_.DN, $_)
      }
    }
}

$Users.Values | ForEach-Object {
  If ($_.PasswordLastSet -ne $Null) {
    $PasswordReset = (New-TimeSpan $_.PasswordLastSet).Days
  } Else {
    $PasswordReset = "-"
  }

  If ($_.LastLogon -ne $Null) {
    $LastLogon = (New-TimeSpan $_.LastLogon).Days
  } Else {
    $LastLogon = "-"
  }

  Set-QADUser $_.DN -Description "(Password reset : $PasswordReset days) (Last logged in : $LastLogon days)"
}

Open in new window

Author

Commented:
Thanks
For few i get this

(Password reset : 8 days) (Last logged in : - days)
Does this mean the user never logged in?
Chris DentPowerShell Developer
Top Expert 2010

Commented:

Yes, or rather, never logged into the DCs specified.

Chris

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial