Solved

Active Directory

Posted on 2014-03-04
22
238 Views
Last Modified: 2015-08-21
I have prompted 170 user to change their password at next login, is there a way to find out in active directory how many users have changed there password for multiple users rather than one at a time ? Can you run a report in Active directory on when users last changed their password ?

DNRRP
0
Comment
Question by:DNRRP
  • 10
  • 10
  • +1
22 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 39902656
get-aduser -filter * -properties passwordlastset

This will give you the password last set property.

You can loop this for multiple users.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39902672
Hi,

Set objUser = GetObject("LDAP://CN=myerken,OU=management,DC=Fabrikam,DC=com")
Wscript.Echo "Password last changed: " & objUser.PasswordLastChanged



or

repadmin /showobjmeta * "CN=svcfimsync,OU=Service Accounts,OU=Demo,DC=demo,DC=local" | findstr /i pwdlastset

What it does? It will ask EVERY (*) DC what's the metadata for the object given by the DN. I'll pipe that to findstr /i (case insensitive) so I only have those lines with pwdlastset.
So you can easily found the DC where it was first set, and the time.


More info : http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/05/how-can-i-determine-when-a-user-last-changed-his-or-her-password.aspx
0
 

Author Comment

by:DNRRP
ID: 39903753
becraig
I dont use powershell day to day, so my knowledge is minimal in this area.

What is the exact command line in powershell to check the last password change for multiple user. (OU) Can provide the command so that I can copy & past into powershell

DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39903902
import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

Open in new window


This will need a text file with an input of each user name on a separate line.
0
 

Author Comment

by:DNRRP
ID: 39903957
becraig
Thanks, for my clarity I just need to copy and paste all the commands at once or one at a time in Powershell ?

DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39903980
Save as a script script.ps1 and run from a powershell window.

Also there is one requirement that you have powershell AD tools installed on the computer you are running from.

In case you do not:
http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx
0
 

Author Comment

by:DNRRP
ID: 39908653
becraig

What do you mean by "an input of each user name on a separate line",

I thought I just need to copy & paste as below into a notepad file and save as script.ps1?

import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

DNRRP
0
 

Author Comment

by:DNRRP
ID: 39908659
beCraig

See attached image of the Commands that I used in powershell, is this correct ?

DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39908664
You need to check against the 170 users who reset their passwords  
So userlist.txt should be a text file of all the users you want to check.  

I can modify the script to just scan all users in the AD if you are not trying to check only those 170
0
 

Author Comment

by:DNRRP
ID: 39910740
becraig
I have exported all names of the 170 users into excel , should I copy all these users names into notepad and as save as a txt file ? I am still not certain how the script will check the 170 users ?

DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39910793
Yes save them in a text file.

I will breakdown what the script does.

#Imports AD module so we can query the AD
import-module ac*

#Create the array "results" to put all our results into
$results = @()

#This line read the text file with the user names line by line then loops through each "%"
gc userlist.txt | % {

#We now assign a variable name "$user" to each username from the text file
$user = $_

#We now query Ad for that user "Identity $user" and then check last login
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{

#We now evaluate the login type and report it in a readable format
$login = [DateTime]::FromFileTime($_.lastlogon)}

#we now start to populate our output array, incrementing with each user
$results += $user, $login
}

#Finally we take all the results and combine them in one file
$results | out-file c:\loginreport.txt

Open in new window

0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 

Author Comment

by:DNRRP
ID: 39910835
becraig
Thanks
So where do I save this txt file that has all the user names and what format should the usernames appear in the txt file ?

How will the script know how to find this txt file ?

DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39910892
gc userlist.txt

You simply specifiy the path explicitly
e.g.
gc c:\path-to-file\file.txt


As for the format of the username name it should be as :
the "username" portion of
domain\username
0
 

Author Comment

by:DNRRP
ID: 39910933
becraig
I am not good at poweshell.
whrw4 do I specify the path?

DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39910945
whatever the directory you save the text file to point the script to that directory:

e.g. if you saved it to your desktop it might be
gc c:\users\<your username>\desktop\file.txt

If you saved it to the root of the d: drive you would change the gc line to:
gc d:\file.txt

If you saved it to a folder on your e: drive you would change the line to:
gc e:\folder\file.txt


File.txt  represents the name of the file you saved the username list to.
0
 

Author Comment

by:DNRRP
ID: 39911022
becraig

Thanks,  I will save to the C as file.txt, so what will the final script look like ?
DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39911036
import-module ac*
$results = @()
gc c:\file.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt
                       

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39911761
becraig

Thanks I will try this later today.
Also can you modify the script to just scan all users in the AD and provide the script please.

Thanks

DNRRP
0
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
ID: 39913186
import-module ac*
$results = @()
Get-ADUser -Filter * | % {
$user = $_.SamAccountName
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += "$user, $login"
}

$results | out-file c:\loginreport.txt

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39919897
becraig

I copied the text file "script.ps1 to the c: drive and then typed "script.ps1 in the powershell command. This does not seem to do anything ?

DNRRP
0
 
LVL 28

Expert Comment

by:becraig
ID: 39919905
Nothing at all happens ?
Powershell does not complain nor even give you an error ?


Try .\script.ps1

Also try looking for the output file loginreport.txt
0
 

Expert Comment

by:Skibo187
ID: 40941499
hey becraig,

Do you have a script that will pull the same thing using LDAP? need to pull when there password was last changed and fixing to expire.

Thanks for the help.
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now