Solved

Active Directory

Posted on 2014-03-04
22
243 Views
Last Modified: 2015-08-21
I have prompted 170 user to change their password at next login, is there a way to find out in active directory how many users have changed there password for multiple users rather than one at a time ? Can you run a report in Active directory on when users last changed their password ?

DNRRP
0
Comment
Question by:DNRRP
  • 10
  • 10
  • +1
22 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 39902656
get-aduser -filter * -properties passwordlastset

This will give you the password last set property.

You can loop this for multiple users.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39902672
Hi,

Set objUser = GetObject("LDAP://CN=myerken,OU=management,DC=Fabrikam,DC=com")
Wscript.Echo "Password last changed: " & objUser.PasswordLastChanged



or

repadmin /showobjmeta * "CN=svcfimsync,OU=Service Accounts,OU=Demo,DC=demo,DC=local" | findstr /i pwdlastset

What it does? It will ask EVERY (*) DC what's the metadata for the object given by the DN. I'll pipe that to findstr /i (case insensitive) so I only have those lines with pwdlastset.
So you can easily found the DC where it was first set, and the time.


More info : http://blogs.technet.com/b/heyscriptingguy/archive/2005/07/05/how-can-i-determine-when-a-user-last-changed-his-or-her-password.aspx
0
 

Author Comment

by:DNRRP
ID: 39903753
becraig
I dont use powershell day to day, so my knowledge is minimal in this area.

What is the exact command line in powershell to check the last password change for multiple user. (OU) Can provide the command so that I can copy & past into powershell

DNRRP
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 29

Expert Comment

by:becraig
ID: 39903902
import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

Open in new window


This will need a text file with an input of each user name on a separate line.
0
 

Author Comment

by:DNRRP
ID: 39903957
becraig
Thanks, for my clarity I just need to copy and paste all the commands at once or one at a time in Powershell ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39903980
Save as a script script.ps1 and run from a powershell window.

Also there is one requirement that you have powershell AD tools installed on the computer you are running from.

In case you do not:
http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx
0
 

Author Comment

by:DNRRP
ID: 39908653
becraig

What do you mean by "an input of each user name on a separate line",

I thought I just need to copy & paste as below into a notepad file and save as script.ps1?

import-module ac*
$results = @()
gc userlist.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt

DNRRP
0
 

Author Comment

by:DNRRP
ID: 39908659
beCraig

See attached image of the Commands that I used in powershell, is this correct ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39908664
You need to check against the 170 users who reset their passwords  
So userlist.txt should be a text file of all the users you want to check.  

I can modify the script to just scan all users in the AD if you are not trying to check only those 170
0
 

Author Comment

by:DNRRP
ID: 39910740
becraig
I have exported all names of the 170 users into excel , should I copy all these users names into notepad and as save as a txt file ? I am still not certain how the script will check the 170 users ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39910793
Yes save them in a text file.

I will breakdown what the script does.

#Imports AD module so we can query the AD
import-module ac*

#Create the array "results" to put all our results into
$results = @()

#This line read the text file with the user names line by line then loops through each "%"
gc userlist.txt | % {

#We now assign a variable name "$user" to each username from the text file
$user = $_

#We now query Ad for that user "Identity $user" and then check last login
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{

#We now evaluate the login type and report it in a readable format
$login = [DateTime]::FromFileTime($_.lastlogon)}

#we now start to populate our output array, incrementing with each user
$results += $user, $login
}

#Finally we take all the results and combine them in one file
$results | out-file c:\loginreport.txt

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39910835
becraig
Thanks
So where do I save this txt file that has all the user names and what format should the usernames appear in the txt file ?

How will the script know how to find this txt file ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39910892
gc userlist.txt

You simply specifiy the path explicitly
e.g.
gc c:\path-to-file\file.txt


As for the format of the username name it should be as :
the "username" portion of
domain\username
0
 

Author Comment

by:DNRRP
ID: 39910933
becraig
I am not good at poweshell.
whrw4 do I specify the path?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39910945
whatever the directory you save the text file to point the script to that directory:

e.g. if you saved it to your desktop it might be
gc c:\users\<your username>\desktop\file.txt

If you saved it to the root of the d: drive you would change the gc line to:
gc d:\file.txt

If you saved it to a folder on your e: drive you would change the line to:
gc e:\folder\file.txt


File.txt  represents the name of the file you saved the username list to.
0
 

Author Comment

by:DNRRP
ID: 39911022
becraig

Thanks,  I will save to the C as file.txt, so what will the final script look like ?
DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39911036
import-module ac*
$results = @()
gc c:\file.txt | % {
$user = $_
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += $user, $login
}
$results | out-file c:\loginreport.txt
                       

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39911761
becraig

Thanks I will try this later today.
Also can you modify the script to just scan all users in the AD and provide the script please.

Thanks

DNRRP
0
 
LVL 29

Accepted Solution

by:
becraig earned 500 total points
ID: 39913186
import-module ac*
$results = @()
Get-ADUser -Filter * | % {
$user = $_.SamAccountName
Get-ADUser -Identity $user | Get-ADObject -Properties lastLogon | %{
$login = [DateTime]::FromFileTime($_.lastlogon)}
$results += "$user, $login"
}

$results | out-file c:\loginreport.txt

Open in new window

0
 

Author Comment

by:DNRRP
ID: 39919897
becraig

I copied the text file "script.ps1 to the c: drive and then typed "script.ps1 in the powershell command. This does not seem to do anything ?

DNRRP
0
 
LVL 29

Expert Comment

by:becraig
ID: 39919905
Nothing at all happens ?
Powershell does not complain nor even give you an error ?


Try .\script.ps1

Also try looking for the output file loginreport.txt
0
 

Expert Comment

by:Skibo187
ID: 40941499
hey becraig,

Do you have a script that will pull the same thing using LDAP? need to pull when there password was last changed and fixing to expire.

Thanks for the help.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This article runs through the process of deploying a single EXE application selectively to a group of user.
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question