DNRRP
asked on
Active Directory
I have prompted 170 user to change their password at next login, is there a way to find out in active directory how many users have changed there password for multiple users rather than one at a time ? Can you run a report in Active directory on when users last changed their password ?
DNRRP
DNRRP
Hi,
Set objUser = GetObject("LDAP://CN=myerk en,OU=mana gement,DC= Fabrikam,D C=com")
Wscript.Echo "Password last changed: " & objUser.PasswordLastChange d
or
repadmin /showobjmeta * "CN=svcfimsync,OU=Service Accounts,OU=Demo,DC=demo,D C=local" | findstr /i pwdlastset
What it does? It will ask EVERY (*) DC what's the metadata for the object given by the DN. I'll pipe that to findstr /i (case insensitive) so I only have those lines with pwdlastset.
So you can easily found the DC where it was first set, and the time.
More info : http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/05/how-can-i-determine-when-a-user-last-changed-his-or-her-password.aspx
Set objUser = GetObject("LDAP://CN=myerk
Wscript.Echo "Password last changed: " & objUser.PasswordLastChange
or
repadmin /showobjmeta * "CN=svcfimsync,OU=Service Accounts,OU=Demo,DC=demo,D
What it does? It will ask EVERY (*) DC what's the metadata for the object given by the DN. I'll pipe that to findstr /i (case insensitive) so I only have those lines with pwdlastset.
So you can easily found the DC where it was first set, and the time.
More info : http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/05/how-can-i-determine-when-a-user-last-changed-his-or-her-password.aspx
ASKER
becraig
I dont use powershell day to day, so my knowledge is minimal in this area.
What is the exact command line in powershell to check the last password change for multiple user. (OU) Can provide the command so that I can copy & past into powershell
DNRRP
I dont use powershell day to day, so my knowledge is minimal in this area.
What is the exact command line in powershell to check the last password change for multiple user. (OU) Can provide the command so that I can copy & past into powershell
DNRRP
import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt
This will need a text file with an input of each user name on a separate line.
ASKER
becraig
Thanks, for my clarity I just need to copy and paste all the commands at once or one at a time in Powershell ?
DNRRP
Thanks, for my clarity I just need to copy and paste all the commands at once or one at a time in Powershell ?
DNRRP
Save as a script script.ps1 and run from a powershell window.
Also there is one requirement that you have powershell AD tools installed on the computer you are running from.
In case you do not:
http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx
Also there is one requirement that you have powershell AD tools installed on the computer you are running from.
In case you do not:
http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx
ASKER
becraig
What do you mean by "an input of each user name on a separate line",
I thought I just need to copy & paste as below into a notepad file and save as script.ps1?
import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($ _.lastlogo n)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt
DNRRP
What do you mean by "an input of each user name on a separate line",
I thought I just need to copy & paste as below into a notepad file and save as script.ps1?
import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($
$results += $user, $login
}
$results | out-file c:\loginreport.txt
DNRRP
ASKER
beCraig
See attached image of the Commands that I used in powershell, is this correct ?
DNRRP
See attached image of the Commands that I used in powershell, is this correct ?
DNRRP
You need to check against the 170 users who reset their passwords
So userlist.txt should be a text file of all the users you want to check.
I can modify the script to just scan all users in the AD if you are not trying to check only those 170
So userlist.txt should be a text file of all the users you want to check.
I can modify the script to just scan all users in the AD if you are not trying to check only those 170
ASKER
becraig
I have exported all names of the 170 users into excel , should I copy all these users names into notepad and as save as a txt file ? I am still not certain how the script will check the 170 users ?
DNRRP
I have exported all names of the 170 users into excel , should I copy all these users names into notepad and as save as a txt file ? I am still not certain how the script will check the 170 users ?
DNRRP
Yes save them in a text file.
I will breakdown what the script does.
I will breakdown what the script does.
#Imports AD module so we can query the AD
import-module ac*
#Create the array "results" to put all our results into
$results = @()
#This line read the text file with the user names line by line then loops through each "%"
gc userlist.txt | % {
#We now assign a variable name "$user" to each username from the text file
$user = $_
#We now query Ad for that user "Identity $user" and then check last login
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
#We now evaluate the login type and report it in a readable format
$login = [DateTime]::FromFileTime($_.lastlogon)}
#we now start to populate our output array, incrementing with each user
$results += $user, $login
}
#Finally we take all the results and combine them in one file
$results | out-file c:\loginreport.txt
ASKER
becraig
Thanks
So where do I save this txt file that has all the user names and what format should the usernames appear in the txt file ?
How will the script know how to find this txt file ?
DNRRP
Thanks
So where do I save this txt file that has all the user names and what format should the usernames appear in the txt file ?
How will the script know how to find this txt file ?
DNRRP
gc userlist.txt
You simply specifiy the path explicitly
e.g.
gc c:\path-to-file\file.txt
As for the format of the username name it should be as :
the "username" portion of
domain\username
You simply specifiy the path explicitly
e.g.
gc c:\path-to-file\file.txt
As for the format of the username name it should be as :
the "username" portion of
domain\username
ASKER
becraig
I am not good at poweshell.
whrw4 do I specify the path?
DNRRP
I am not good at poweshell.
whrw4 do I specify the path?
DNRRP
whatever the directory you save the text file to point the script to that directory:
e.g. if you saved it to your desktop it might be
gc c:\users\<your username>\desktop\file.txt
If you saved it to the root of the d: drive you would change the gc line to:
gc d:\file.txt
If you saved it to a folder on your e: drive you would change the line to:
gc e:\folder\file.txt
File.txt represents the name of the file you saved the username list to.
e.g. if you saved it to your desktop it might be
gc c:\users\<your username>\desktop\file.txt
If you saved it to the root of the d: drive you would change the gc line to:
gc d:\file.txt
If you saved it to a folder on your e: drive you would change the line to:
gc e:\folder\file.txt
File.txt represents the name of the file you saved the username list to.
ASKER
becraig
Thanks, I will save to the C as file.txt, so what will the final script look like ?
DNRRP
Thanks, I will save to the C as file.txt, so what will the final script look like ?
DNRRP
import-module ac*
$results = @()
gc c:\file.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt
ASKER
becraig
Thanks I will try this later today.
Also can you modify the script to just scan all users in the AD and provide the script please.
Thanks
DNRRP
Thanks I will try this later today.
Also can you modify the script to just scan all users in the AD and provide the script please.
Thanks
DNRRP
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
becraig
I copied the text file "script.ps1 to the c: drive and then typed "script.ps1 in the powershell command. This does not seem to do anything ?
DNRRP
I copied the text file "script.ps1 to the c: drive and then typed "script.ps1 in the powershell command. This does not seem to do anything ?
DNRRP
Nothing at all happens ?
Powershell does not complain nor even give you an error ?
Try .\script.ps1
Also try looking for the output file loginreport.txt
Powershell does not complain nor even give you an error ?
Try .\script.ps1
Also try looking for the output file loginreport.txt
hey becraig,
Do you have a script that will pull the same thing using LDAP? need to pull when there password was last changed and fixing to expire.
Thanks for the help.
Do you have a script that will pull the same thing using LDAP? need to pull when there password was last changed and fixing to expire.
Thanks for the help.
This will give you the password last set property.
You can loop this for multiple users.