Solved

Fine Grained Password - Script to find out password expiration for user accounts assigned FGPP

Posted on 2014-03-30
16
94 Views
Last Modified: 2015-06-24
Anyone have a script I can run to find out when my Fine Grained Password Policies users account passwords will expire?  I found a few scripts via google but no luck actually pulling the expiration date data or getting the script to run via powershell.

Thank you!
0
Comment
Question by:tnims
  • 5
  • 5
  • 4
  • +1
16 Comments
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39965310
Do you want a script or a free program would do also?
0
 

Author Comment

by:tnims
ID: 39965394
I'd rather have a script -- but may try a free program as well.

Could you reference both?

Thanks again
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39965402
Download ADManager Plus - http://www.manageengine.com/windows-active-directory-tools.html

you will be able to run multiple password reports

sample
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39966211
If you only  need username and days left for pwd expiry, you can use below (still need some modifications to export the output in desired form) -



Import-Module ActiveDirectory
Get-ADUser -filter * -properties PasswordLastSet,GivenName | foreach {

   $PasswordSetDate=$_.PasswordLastSet
   $maxPasswordAgeTimeSpan = $null
   $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
   $today=get-date
   $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
   $daysleft=$ExpiryDate-$today
   $PwdExpDays=$daysleft.days
   $UserName=$_.GivenName
   
   }




Also you can apply some filters like -

( ($PwdExpDays -eq '10') -or ($PwdExpDays -eq '5') -or ($PwdExpDays -eq '1') )
0
 

Author Comment

by:tnims
ID: 39966604
Hi Pramod_ubhe

I'm assuming I put this code into ps1 file.  If I just want to run this on 1 user account, how would I go about do that?  

I'm guessing the the -filter * will include all accounts on the domain?

Also, if I want to export the data to a csv file, how would i go about doing that.


Thank you both for the following info - much appreciated!
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39966618
Not a problem! :) did you manage to install the software and run it?
0
 

Author Comment

by:tnims
ID: 39967165
I was able to install the program, but could not find the Fine Grained password policy to determine when the account password would expire.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39967238
AD Reports > Password Reports
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39968957
Here is the complete script (pls run it on the computer where AD module for powershell is installed) and yes for a single user, replace -Filter * with user logon name -
How to run - just copy paste in PS window or save as .ps1 and execute like normal scripts
 __________________________________________________________________________________________________

$ErrorActionPreference = "SilentlyContinue"
      Import-Module ActiveDirectory

            Function Get-PwdExpDays {
                   Process {
                        $obj = New-Object psobject
                        $obj | Add-Member NoteProperty UserName $_.GivenName
                              
                              $PasswordSetDate=$_.PasswordLastSet
                              $maxPasswordAgeTimeSpan = $null
                              $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                              $today=get-date
                              $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
                              $daysleft=$ExpiryDate-$today
                              
                        $obj | Add-Member NoteProperty PwdExpDays ($daysleft.Days)
                        Write-Output $obj      
                  }
            }
                              
Get-ADUser -Filter * -properties PasswordLastSet,GivenName | Get-PwdExpDays | ConvertTo-Csv | Out-File C:\output.csv
0
 

Author Comment

by:tnims
ID: 39973474
When I try to run the script, no data is given.  It outputs the csv file but no date in the file.  Also, I receive a Get-PwdExpDays as not a recognized cmdlet, function, script file, or operable program.

***scratching my head***
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39975696
sorry for late reply, i am also scratching my head :-(

Let me share you the details where i created and tested this script. I have a windows 2008r2 member server on which AD module for powershell is installed. i have tested this script on a test ou and with specific user name instead of -filter * as my domain has thousands of users.

When you open powershell and execute Import-Module ActiveDirectory command, do you get any error message? If no, are you able to execute Get-aduser command? I don't have access to my computer but I will test this again and let you know tomorrow.
0
 
LVL 10

Accepted Solution

by:
Pramod Ubhe earned 500 total points
ID: 39977837
Here are two simple commands once you execute  Import-Module ActiveDirectory -

for all users -

Get-ADUser -filter * -properties passwordlastset | select-object Name, passwordlastset | Export-csv -path c:\output.csv


for single users -

Get-ADUser <username> -properties passwordlastset | select Name, passwordlastset
0
 

Author Comment

by:tnims
ID: 39994278
Thank you for that reply.  Ok I got this to work- THANK YOU!   However, I had to make a little bit of a modification of your script:

Import-Module ActiveDirectory

Get-Aduser -Identity <username> -Properties passwordlastset | select name, passwordlastset


Boom! That gave me the info I needed -- Thank you for your help.

So, I have one last request to bump this up a few notches.   Is there a way to run this against a distribution group and output to a csv file?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40001192
here you go; just put the user names in input.txt one per line -


Import-Module ActiveDirectory

Get-content c:\input.txt | ForEach-Object {Get-Aduser -Identity $_ -Properties passwordlastset | select name, passwordlastset} | Export-csv -path c:\output.csv
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40848203
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now