Solved

Active Directory

Posted on 2014-03-04
22
247 Views
Last Modified: 2015-08-21
I have prompted 170 user to change their password at next login, is there a way to find out in active directory how many users have changed there password for multiple users rather than one at a time ? Can you run a report in Active directory on when users last changed their password ?

DNRRP
0
Comment
Question by:DNRRP
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 10
  • +1
22 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39902656
get-aduser -filter * -properties passwordlastset

This will give you the password last set property.

You can loop this for multiple users.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39902672
Hi,

Set objUser = GetObject("LDAP://CN=myerken,OU=management,DC=Fabrikam,DC=com")
Wscript.Echo "Password last changed: " & objUser.PasswordLastChanged



or

repadmin /showobjmeta * "CN=svcfimsync,OU=Service Accounts,OU=Demo,DC=demo,DC=local" | findstr /i pwdlastset

What it does? It will ask EVERY (*) DC what's the metadata for the object given by the DN. I'll pipe that to findstr /i (case insensitive) so I only have those lines with pwdlastset.
So you can easily found the DC where it was first set, and the time.


More info : http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/05/how-can-i-determine-when-a-user-last-changed-his-or-her-password.aspx
0
 

Author Comment

by:DNRRP
ID: 39903753
becraig
I dont use powershell day to day, so my knowledge is minimal in this area.

What is the exact command line in powershell to check the last password change for multiple user. (OU) Can provide the command so that I can copy & past into powershell

DNRRP
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 29

Expert Comment

by:becraig
ID: 39903902
import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

Open in new window


This will need a text file with an input of each user name on a separate line.
0
 

Author Comment

by:DNRRP
ID: 39903957
becraig
Thanks, for my clarity I just need to copy and paste all the commands at once or one at a time in Powershell ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39903980
Save as a script script.ps1 and run from a powershell window.

Also there is one requirement that you have powershell AD tools installed on the computer you are running from.

In case you do not:
http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx
0
 

Author Comment

by:DNRRP
ID: 39908653
becraig

What do you mean by "an input of each user name on a separate line",

I thought I just need to copy & paste as below into a notepad file and save as script.ps1?

import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

DNRRP
0
 

Author Comment

by:DNRRP
ID: 39908659
beCraig

See attached image of the Commands that I used in powershell, is this correct ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39908664
You need to check against the 170 users who reset their passwords  
So userlist.txt should be a text file of all the users you want to check.  

I can modify the script to just scan all users in the AD if you are not trying to check only those 170
0
 

Author Comment

by:DNRRP
ID: 39910740
becraig
I have exported all names of the 170 users into excel , should I copy all these users names into notepad and as save as a txt file ? I am still not certain how the script will check the 170 users ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39910793
Yes save them in a text file.

I will breakdown what the script does.

#Imports AD module so we can query the AD
import-module ac*

#Create the array "results" to put all our results into
$results = @()

#This line read the text file with the user names line by line then loops through each "%"
gc userlist.txt | % {

#We now assign a variable name "$user" to each username from the text file
$user = $_

#We now query Ad for that user "Identity $user" and then check last login
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{

#We now evaluate the login type and report it in a readable format
$login = [DateTime]::FromFileTime($_.lastlogon)}

#we now start to populate our output array, incrementing with each user
$results += $user, $login
}

#Finally we take all the results and combine them in one file
$results | out-file c:\loginreport.txt

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39910835
becraig
Thanks
So where do I save this txt file that has all the user names and what format should the usernames appear in the txt file ?

How will the script know how to find this txt file ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39910892
gc userlist.txt

You simply specifiy the path explicitly
e.g.
gc c:\path-to-file\file.txt


As for the format of the username name it should be as :
the "username" portion of
domain\username
0
 

Author Comment

by:DNRRP
ID: 39910933
becraig
I am not good at poweshell.
whrw4 do I specify the path?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39910945
whatever the directory you save the text file to point the script to that directory:

e.g. if you saved it to your desktop it might be
gc c:\users\<your username>\desktop\file.txt

If you saved it to the root of the d: drive you would change the gc line to:
gc d:\file.txt

If you saved it to a folder on your e: drive you would change the line to:
gc e:\folder\file.txt


File.txt  represents the name of the file you saved the username list to.
0
 

Author Comment

by:DNRRP
ID: 39911022
becraig

Thanks,  I will save to the C as file.txt, so what will the final script look like ?
DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39911036
import-module ac*
$results = @()
gc c:\file.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt
                       

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39911761
becraig

Thanks I will try this later today.
Also can you modify the script to just scan all users in the AD and provide the script please.

Thanks

DNRRP
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39913186
import-module ac*
$results = @()
Get-ADUser -Filter * | % {
$user = $_.SamAccountName
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += "$user, $login"
}

$results | out-file c:\loginreport.txt

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39919897
becraig

I copied the text file "script.ps1 to the c: drive and then typed "script.ps1 in the powershell command. This does not seem to do anything ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39919905
Nothing at all happens ?
Powershell does not complain nor even give you an error ?


Try .\script.ps1

Also try looking for the output file loginreport.txt
0
 

Expert Comment

by:Skibo187
ID: 40941499
hey becraig,

Do you have a script that will pull the same thing using LDAP? need to pull when there password was last changed and fixing to expire.

Thanks for the help.
0

Featured Post

Edgartown IT Case Study

Learn about Edgartown's quest to ensure the safety and security of the entire town's employee and citizen data. Read the case study!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question