Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 225
  • Last Modified:

Fine Grained Password - Script to find out password expiration for user accounts assigned FGPP

Anyone have a script I can run to find out when my Fine Grained Password Policies users account passwords will expire?  I found a few scripts via google but no luck actually pulling the expiration date data or getting the script to run via powershell.

Thank you!
0
tnims
Asked:
tnims
  • 5
  • 5
  • 4
  • +1
1 Solution
 
Jorge OcampoCommented:
Do you want a script or a free program would do also?
0
 
tnimsAuthor Commented:
I'd rather have a script -- but may try a free program as well.

Could you reference both?

Thanks again
0
 
Jorge OcampoCommented:
Download ADManager Plus - http://www.manageengine.com/windows-active-directory-tools.html

you will be able to run multiple password reports

sample
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Pramod UbheCommented:
If you only  need username and days left for pwd expiry, you can use below (still need some modifications to export the output in desired form) -



Import-Module ActiveDirectory
Get-ADUser -filter * -properties PasswordLastSet,GivenName | foreach {

   $PasswordSetDate=$_.PasswordLastSet
   $maxPasswordAgeTimeSpan = $null
   $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
   $today=get-date
   $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
   $daysleft=$ExpiryDate-$today
   $PwdExpDays=$daysleft.days
   $UserName=$_.GivenName
   
   }




Also you can apply some filters like -

( ($PwdExpDays -eq '10') -or ($PwdExpDays -eq '5') -or ($PwdExpDays -eq '1') )
0
 
tnimsAuthor Commented:
Hi Pramod_ubhe

I'm assuming I put this code into ps1 file.  If I just want to run this on 1 user account, how would I go about do that?  

I'm guessing the the -filter * will include all accounts on the domain?

Also, if I want to export the data to a csv file, how would i go about doing that.


Thank you both for the following info - much appreciated!
0
 
Jorge OcampoCommented:
Not a problem! :) did you manage to install the software and run it?
0
 
tnimsAuthor Commented:
I was able to install the program, but could not find the Fine Grained password policy to determine when the account password would expire.
0
 
Jorge OcampoCommented:
AD Reports > Password Reports
0
 
Pramod UbheCommented:
Here is the complete script (pls run it on the computer where AD module for powershell is installed) and yes for a single user, replace -Filter * with user logon name -
How to run - just copy paste in PS window or save as .ps1 and execute like normal scripts
 __________________________________________________________________________________________________

$ErrorActionPreference = "SilentlyContinue"
      Import-Module ActiveDirectory

            Function Get-PwdExpDays {
                   Process {
                        $obj = New-Object psobject
                        $obj | Add-Member NoteProperty UserName $_.GivenName
                              
                              $PasswordSetDate=$_.PasswordLastSet
                              $maxPasswordAgeTimeSpan = $null
                              $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                              $today=get-date
                              $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
                              $daysleft=$ExpiryDate-$today
                              
                        $obj | Add-Member NoteProperty PwdExpDays ($daysleft.Days)
                        Write-Output $obj      
                  }
            }
                              
Get-ADUser -Filter * -properties PasswordLastSet,GivenName | Get-PwdExpDays | ConvertTo-Csv | Out-File C:\output.csv
0
 
tnimsAuthor Commented:
When I try to run the script, no data is given.  It outputs the csv file but no date in the file.  Also, I receive a Get-PwdExpDays as not a recognized cmdlet, function, script file, or operable program.

***scratching my head***
0
 
Pramod UbheCommented:
sorry for late reply, i am also scratching my head :-(

Let me share you the details where i created and tested this script. I have a windows 2008r2 member server on which AD module for powershell is installed. i have tested this script on a test ou and with specific user name instead of -filter * as my domain has thousands of users.

When you open powershell and execute Import-Module ActiveDirectory command, do you get any error message? If no, are you able to execute Get-aduser command? I don't have access to my computer but I will test this again and let you know tomorrow.
0
 
Pramod UbheCommented:
Here are two simple commands once you execute  Import-Module ActiveDirectory -

for all users -

Get-ADUser -filter * -properties passwordlastset | select-object Name, passwordlastset | Export-csv -path c:\output.csv


for single users -

Get-ADUser <username> -properties passwordlastset | select Name, passwordlastset
0
 
tnimsAuthor Commented:
Thank you for that reply.  Ok I got this to work- THANK YOU!   However, I had to make a little bit of a modification of your script:

Import-Module ActiveDirectory

Get-Aduser -Identity <username> -Properties passwordlastset | select name, passwordlastset


Boom! That gave me the info I needed -- Thank you for your help.

So, I have one last request to bump this up a few notches.   Is there a way to run this against a distribution group and output to a csv file?
0
 
Pramod UbheCommented:
here you go; just put the user names in input.txt one per line -


Import-Module ActiveDirectory

Get-content c:\input.txt | ForEach-Object {Get-Aduser -Identity $_ -Properties passwordlastset | select name, passwordlastset} | Export-csv -path c:\output.csv
0
 
Seth SimmonsSr. Systems AdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

  • 5
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now