tnims
asked on
Fine Grained Password - Script to find out password expiration for user accounts assigned FGPP
Anyone have a script I can run to find out when my Fine Grained Password Policies users account passwords will expire? I found a few scripts via google but no luck actually pulling the expiration date data or getting the script to run via powershell.
Thank you!
Thank you!
Jorge Ocampo
Do you want a script or a free program would do also?
ASKER
I'd rather have a script -- but may try a free program as well.
Could you reference both?
Thanks again
Could you reference both?
Thanks again
Download ADManager Plus - http://www.manageengine.com/windows-active-directory-tools.html
you will be able to run multiple password reports
you will be able to run multiple password reports
If you only need username and days left for pwd expiry, you can use below (still need some modifications to export the output in desired form) -
Import-Module ActiveDirectory
Get-ADUser -filter * -properties PasswordLastSet,GivenName | foreach {
$PasswordSetDate=$_.Passwo
$maxPasswordAgeTimeSpan = $null
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswo
$today=get-date
$ExpiryDate=$passwordSetDa
$daysleft=$ExpiryDate-$tod
$PwdExpDays=$daysleft.days
$UserName=$_.GivenName
}
Also you can apply some filters like -
( ($PwdExpDays -eq '10') -or ($PwdExpDays -eq '5') -or ($PwdExpDays -eq '1') )
Import-Module ActiveDirectory
Get-ADUser -filter * -properties PasswordLastSet,GivenName | foreach {
$PasswordSetDate=$_.Passwo
$maxPasswordAgeTimeSpan = $null
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswo
$today=get-date
$ExpiryDate=$passwordSetDa
$daysleft=$ExpiryDate-$tod
$PwdExpDays=$daysleft.days
$UserName=$_.GivenName
}
Also you can apply some filters like -
( ($PwdExpDays -eq '10') -or ($PwdExpDays -eq '5') -or ($PwdExpDays -eq '1') )
ASKER
Hi Pramod_ubhe
I'm assuming I put this code into ps1 file. If I just want to run this on 1 user account, how would I go about do that?
I'm guessing the the -filter * will include all accounts on the domain?
Also, if I want to export the data to a csv file, how would i go about doing that.
Thank you both for the following info - much appreciated!
I'm assuming I put this code into ps1 file. If I just want to run this on 1 user account, how would I go about do that?
I'm guessing the the -filter * will include all accounts on the domain?
Also, if I want to export the data to a csv file, how would i go about doing that.
Thank you both for the following info - much appreciated!
Not a problem! :) did you manage to install the software and run it?
ASKER
I was able to install the program, but could not find the Fine Grained password policy to determine when the account password would expire.
AD Reports > Password Reports
Here is the complete script (pls run it on the computer where AD module for powershell is installed) and yes for a single user, replace -Filter * with user logon name -
How to run - just copy paste in PS window or save as .ps1 and execute like normal scripts
__________________________
$ErrorActionPreference = "SilentlyContinue"
Import-Module ActiveDirectory
Function Get-PwdExpDays {
Process {
$obj = New-Object psobject
$obj | Add-Member NoteProperty UserName $_.GivenName
$PasswordSetDate=$_.Passwo
$maxPasswordAgeTimeSpan = $null
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswo
$today=get-date
$ExpiryDate=$passwordSetDa
$daysleft=$ExpiryDate-$tod
$obj | Add-Member NoteProperty PwdExpDays ($daysleft.Days)
Write-Output $obj
}
}
Get-ADUser -Filter * -properties PasswordLastSet,GivenName | Get-PwdExpDays | ConvertTo-Csv | Out-File C:\output.csv
How to run - just copy paste in PS window or save as .ps1 and execute like normal scripts
__________________________
$ErrorActionPreference = "SilentlyContinue"
Import-Module ActiveDirectory
Function Get-PwdExpDays {
Process {
$obj = New-Object psobject
$obj | Add-Member NoteProperty UserName $_.GivenName
$PasswordSetDate=$_.Passwo
$maxPasswordAgeTimeSpan = $null
$maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswo
$today=get-date
$ExpiryDate=$passwordSetDa
$daysleft=$ExpiryDate-$tod
$obj | Add-Member NoteProperty PwdExpDays ($daysleft.Days)
Write-Output $obj
}
}
Get-ADUser -Filter * -properties PasswordLastSet,GivenName | Get-PwdExpDays | ConvertTo-Csv | Out-File C:\output.csv
ASKER
When I try to run the script, no data is given. It outputs the csv file but no date in the file. Also, I receive a Get-PwdExpDays as not a recognized cmdlet, function, script file, or operable program.
***scratching my head***
***scratching my head***
sorry for late reply, i am also scratching my head :-(
Let me share you the details where i created and tested this script. I have a windows 2008r2 member server on which AD module for powershell is installed. i have tested this script on a test ou and with specific user name instead of -filter * as my domain has thousands of users.
When you open powershell and execute Import-Module ActiveDirectory command, do you get any error message? If no, are you able to execute Get-aduser command? I don't have access to my computer but I will test this again and let you know tomorrow.
Let me share you the details where i created and tested this script. I have a windows 2008r2 member server on which AD module for powershell is installed. i have tested this script on a test ou and with specific user name instead of -filter * as my domain has thousands of users.
When you open powershell and execute Import-Module ActiveDirectory command, do you get any error message? If no, are you able to execute Get-aduser command? I don't have access to my computer but I will test this again and let you know tomorrow.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for that reply. Ok I got this to work- THANK YOU! However, I had to make a little bit of a modification of your script:
Import-Module ActiveDirectory
Get-Aduser -Identity <username> -Properties passwordlastset | select name, passwordlastset
Boom! That gave me the info I needed -- Thank you for your help.
So, I have one last request to bump this up a few notches. Is there a way to run this against a distribution group and output to a csv file?
Import-Module ActiveDirectory
Get-Aduser -Identity <username> -Properties passwordlastset | select name, passwordlastset
Boom! That gave me the info I needed -- Thank you for your help.
So, I have one last request to bump this up a few notches. Is there a way to run this against a distribution group and output to a csv file?
here you go; just put the user names in input.txt one per line -
Import-Module ActiveDirectory
Get-content c:\input.txt | ForEach-Object {Get-Aduser -Identity $_ -Properties passwordlastset | select name, passwordlastset} | Export-csv -path c:\output.csv
Import-Module ActiveDirectory
Get-content c:\input.txt | ForEach-Object {Get-Aduser -Identity $_ -Properties passwordlastset | select name, passwordlastset} | Export-csv -path c:\output.csv
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.