Powershell: How to check if ChangePasswordAtLogon is checked

Hi EE

I have a group with 20k users and I need to pull the data below but I cant get it to output if the "change password at next logon " option is checked .

Get-ADGroup "TEST" -Properties * |
Select-Object -ExpandProperty Member |
Get-ADUser | select SamAccountName,Name,Enabled,ChangePasswordAtNextLogon |Export-Csv TestData.csv
LVL 2
MilesLoganAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
Look for the passwordexpired attribute that is going to be True for accounts that have the box checked but that is not 100% as some accounts could be expired without that checkbox.

There is no attribute for that it is part of useraccountcontrol. More on useraccountcontrol
http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

Thanks

Mike
0
MilesLoganAuthor Commented:
Hi Mike

Thanks for the link .. but I am still a bit lost .. I tried adding ADS_UF_PASSWORD_EXPIRED and other guesses but none returned a true or false value .. most output what is below .


Microsoft.ActiveDirectory.Management.ADPropertyValueCollection
0
Vasil Michev (MVP)Commented:
Run a query and include the UserAccountControl attribute:

$test = Get-AdUser vasil -Properties UserAccountControl

Open in new window


Check if it the corresponding flag is turned on:

($test.UserAccountControl -band 65536) -ne 0

Open in new window


Here 65536 is the decimal value for the password never expires flag, but you can of course do this for every flag (PASSWORD_EXPIRED is 8388608 in decimal)

($test.UserAccountControl -band 8388608) -ne 0

Open in new window

0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

MilesLoganAuthor Commented:
Hi Vasilcho

Thanks .. I was able to test that on one account .. can you help me modify this so it will output that for every account in a group ?

Get-ADGroup "TEST" -Properties * |
Select-Object -ExpandProperty Member |
Get-ADUser | select SamAccountName,Name,Enabled |Export-Csv TestData.csv
0
Vasil Michev (MVP)Commented:
Try this:

Get-ADGroup "TestGroup" -Properties * | Select-Object -ExpandProperty Member |  Get-ADUser -Properties userAccountControl | select SamAccountName,Name,Enabled,userAccountControl,@{name="Has Password Expired";expression={if(($test.UserAccountControl[0] -band 8388608) -ne 0) {"True"} else {"False"}}}

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MilesLoganAuthor Commented:
Thank you vasilcho !
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.