Active Directory

I have prompted 170 user to change their password at next login, is there a way to find out in active directory how many users have changed there password for multiple users rather than one at a time ? Can you run a report in Active directory on when users last changed their password ?

DNRRP
DNRRPAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

becraigCommented:
get-aduser -filter * -properties passwordlastset

This will give you the password last set property.

You can loop this for multiple users.
0
Manjunath SulladTechnical ConsultantCommented:
Hi,

Set objUser = GetObject("LDAP://CN=myerken,OU=management,DC=Fabrikam,DC=com")
Wscript.Echo "Password last changed: " & objUser.PasswordLastChanged



or

repadmin /showobjmeta * "CN=svcfimsync,OU=Service Accounts,OU=Demo,DC=demo,DC=local" | findstr /i pwdlastset

What it does? It will ask EVERY (*) DC what's the metadata for the object given by the DN. I'll pipe that to findstr /i (case insensitive) so I only have those lines with pwdlastset.
So you can easily found the DC where it was first set, and the time.


More info : http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/05/how-can-i-determine-when-a-user-last-changed-his-or-her-password.aspx
0
DNRRPAuthor Commented:
becraig
I dont use powershell day to day, so my knowledge is minimal in this area.

What is the exact command line in powershell to check the last password change for multiple user. (OU) Can provide the command so that I can copy & past into powershell

DNRRP
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

becraigCommented:
import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

Open in new window


This will need a text file with an input of each user name on a separate line.
0
DNRRPAuthor Commented:
becraig
Thanks, for my clarity I just need to copy and paste all the commands at once or one at a time in Powershell ?

DNRRP
0
becraigCommented:
Save as a script script.ps1 and run from a powershell window.

Also there is one requirement that you have powershell AD tools installed on the computer you are running from.

In case you do not:
http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx
0
DNRRPAuthor Commented:
becraig

What do you mean by "an input of each user name on a separate line",

I thought I just need to copy & paste as below into a notepad file and save as script.ps1?

import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

DNRRP
0
DNRRPAuthor Commented:
beCraig

See attached image of the Commands that I used in powershell, is this correct ?

DNRRP
0
becraigCommented:
You need to check against the 170 users who reset their passwords  
So userlist.txt should be a text file of all the users you want to check.  

I can modify the script to just scan all users in the AD if you are not trying to check only those 170
0
DNRRPAuthor Commented:
becraig
I have exported all names of the 170 users into excel , should I copy all these users names into notepad and as save as a txt file ? I am still not certain how the script will check the 170 users ?

DNRRP
0
becraigCommented:
Yes save them in a text file.

I will breakdown what the script does.

#Imports AD module so we can query the AD
import-module ac*

#Create the array "results" to put all our results into
$results = @()

#This line read the text file with the user names line by line then loops through each "%"
gc userlist.txt | % {

#We now assign a variable name "$user" to each username from the text file
$user = $_

#We now query Ad for that user "Identity $user" and then check last login
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{

#We now evaluate the login type and report it in a readable format
$login = [DateTime]::FromFileTime($_.lastlogon)}

#we now start to populate our output array, incrementing with each user
$results += $user, $login
}

#Finally we take all the results and combine them in one file
$results | out-file c:\loginreport.txt

Open in new window

0
DNRRPAuthor Commented:
becraig
Thanks
So where do I save this txt file that has all the user names and what format should the usernames appear in the txt file ?

How will the script know how to find this txt file ?

DNRRP
0
becraigCommented:
gc userlist.txt

You simply specifiy the path explicitly
e.g.
gc c:\path-to-file\file.txt


As for the format of the username name it should be as :
the "username" portion of
domain\username
0
DNRRPAuthor Commented:
becraig
I am not good at poweshell.
whrw4 do I specify the path?

DNRRP
0
becraigCommented:
whatever the directory you save the text file to point the script to that directory:

e.g. if you saved it to your desktop it might be
gc c:\users\<your username>\desktop\file.txt

If you saved it to the root of the d: drive you would change the gc line to:
gc d:\file.txt

If you saved it to a folder on your e: drive you would change the line to:
gc e:\folder\file.txt


File.txt  represents the name of the file you saved the username list to.
0
DNRRPAuthor Commented:
becraig

Thanks,  I will save to the C as file.txt, so what will the final script look like ?
DNRRP
0
becraigCommented:
import-module ac*
$results = @()
gc c:\file.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt
                       

Open in new window

0
DNRRPAuthor Commented:
becraig

Thanks I will try this later today.
Also can you modify the script to just scan all users in the AD and provide the script please.

Thanks

DNRRP
0
becraigCommented:
import-module ac*
$results = @()
Get-ADUser -Filter * | % {
$user = $_.SamAccountName
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += "$user, $login"
}

$results | out-file c:\loginreport.txt

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DNRRPAuthor Commented:
becraig

I copied the text file "script.ps1 to the c: drive and then typed "script.ps1 in the powershell command. This does not seem to do anything ?

DNRRP
0
becraigCommented:
Nothing at all happens ?
Powershell does not complain nor even give you an error ?


Try .\script.ps1

Also try looking for the output file loginreport.txt
0
Skibo187Commented:
hey becraig,

Do you have a script that will pull the same thing using LDAP? need to pull when there password was last changed and fixing to expire.

Thanks for the help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.