Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Fine Grained Password - Script to find out password expiration for user accounts assigned FGPP

Posted on 2014-03-30
16
Medium Priority
?
138 Views
Last Modified: 2015-06-24
Anyone have a script I can run to find out when my Fine Grained Password Policies users account passwords will expire?  I found a few scripts via google but no luck actually pulling the expiration date data or getting the script to run via powershell.

Thank you!
0
Comment
Question by:tnims
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 4
  • +1
16 Comments
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39965310
Do you want a script or a free program would do also?
0
 

Author Comment

by:tnims
ID: 39965394
I'd rather have a script -- but may try a free program as well.

Could you reference both?

Thanks again
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39965402
Download ADManager Plus - http://www.manageengine.com/windows-active-directory-tools.html

you will be able to run multiple password reports

sample
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39966211
If you only  need username and days left for pwd expiry, you can use below (still need some modifications to export the output in desired form) -



Import-Module ActiveDirectory
Get-ADUser -filter * -properties PasswordLastSet,GivenName | foreach {

   $PasswordSetDate=$_.PasswordLastSet
   $maxPasswordAgeTimeSpan = $null
   $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
   $today=get-date
   $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
   $daysleft=$ExpiryDate-$today
   $PwdExpDays=$daysleft.days
   $UserName=$_.GivenName
   
   }




Also you can apply some filters like -

( ($PwdExpDays -eq '10') -or ($PwdExpDays -eq '5') -or ($PwdExpDays -eq '1') )
0
 

Author Comment

by:tnims
ID: 39966604
Hi Pramod_ubhe

I'm assuming I put this code into ps1 file.  If I just want to run this on 1 user account, how would I go about do that?  

I'm guessing the the -filter * will include all accounts on the domain?

Also, if I want to export the data to a csv file, how would i go about doing that.


Thank you both for the following info - much appreciated!
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39966618
Not a problem! :) did you manage to install the software and run it?
0
 

Author Comment

by:tnims
ID: 39967165
I was able to install the program, but could not find the Fine Grained password policy to determine when the account password would expire.
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39967238
AD Reports > Password Reports
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39968957
Here is the complete script (pls run it on the computer where AD module for powershell is installed) and yes for a single user, replace -Filter * with user logon name -
How to run - just copy paste in PS window or save as .ps1 and execute like normal scripts
 __________________________________________________________________________________________________

$ErrorActionPreference = "SilentlyContinue"
      Import-Module ActiveDirectory

            Function Get-PwdExpDays {
                   Process {
                        $obj = New-Object psobject
                        $obj | Add-Member NoteProperty UserName $_.GivenName
                              
                              $PasswordSetDate=$_.PasswordLastSet
                              $maxPasswordAgeTimeSpan = $null
                              $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                              $today=get-date
                              $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
                              $daysleft=$ExpiryDate-$today
                              
                        $obj | Add-Member NoteProperty PwdExpDays ($daysleft.Days)
                        Write-Output $obj      
                  }
            }
                              
Get-ADUser -Filter * -properties PasswordLastSet,GivenName | Get-PwdExpDays | ConvertTo-Csv | Out-File C:\output.csv
0
 

Author Comment

by:tnims
ID: 39973474
When I try to run the script, no data is given.  It outputs the csv file but no date in the file.  Also, I receive a Get-PwdExpDays as not a recognized cmdlet, function, script file, or operable program.

***scratching my head***
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39975696
sorry for late reply, i am also scratching my head :-(

Let me share you the details where i created and tested this script. I have a windows 2008r2 member server on which AD module for powershell is installed. i have tested this script on a test ou and with specific user name instead of -filter * as my domain has thousands of users.

When you open powershell and execute Import-Module ActiveDirectory command, do you get any error message? If no, are you able to execute Get-aduser command? I don't have access to my computer but I will test this again and let you know tomorrow.
0
 
LVL 10

Accepted Solution

by:
Pramod Ubhe earned 2000 total points
ID: 39977837
Here are two simple commands once you execute  Import-Module ActiveDirectory -

for all users -

Get-ADUser -filter * -properties passwordlastset | select-object Name, passwordlastset | Export-csv -path c:\output.csv


for single users -

Get-ADUser <username> -properties passwordlastset | select Name, passwordlastset
0
 

Author Comment

by:tnims
ID: 39994278
Thank you for that reply.  Ok I got this to work- THANK YOU!   However, I had to make a little bit of a modification of your script:

Import-Module ActiveDirectory

Get-Aduser -Identity <username> -Properties passwordlastset | select name, passwordlastset


Boom! That gave me the info I needed -- Thank you for your help.

So, I have one last request to bump this up a few notches.   Is there a way to run this against a distribution group and output to a csv file?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40001192
here you go; just put the user names in input.txt one per line -


Import-Module ActiveDirectory

Get-content c:\input.txt | ForEach-Object {Get-Aduser -Identity $_ -Properties passwordlastset | select name, passwordlastset} | Export-csv -path c:\output.csv
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40848203
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question