Solved

Fine Grained Password - Script to find out password expiration for user accounts assigned FGPP

Posted on 2014-03-30
16
89 Views
Last Modified: 2015-06-24
Anyone have a script I can run to find out when my Fine Grained Password Policies users account passwords will expire?  I found a few scripts via google but no luck actually pulling the expiration date data or getting the script to run via powershell.

Thank you!
0
Comment
Question by:tnims
  • 5
  • 5
  • 4
  • +1
16 Comments
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39965310
Do you want a script or a free program would do also?
0
 

Author Comment

by:tnims
ID: 39965394
I'd rather have a script -- but may try a free program as well.

Could you reference both?

Thanks again
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39965402
Download ADManager Plus - http://www.manageengine.com/windows-active-directory-tools.html

you will be able to run multiple password reports

sample
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39966211
If you only  need username and days left for pwd expiry, you can use below (still need some modifications to export the output in desired form) -



Import-Module ActiveDirectory
Get-ADUser -filter * -properties PasswordLastSet,GivenName | foreach {

   $PasswordSetDate=$_.PasswordLastSet
   $maxPasswordAgeTimeSpan = $null
   $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
   $today=get-date
   $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
   $daysleft=$ExpiryDate-$today
   $PwdExpDays=$daysleft.days
   $UserName=$_.GivenName
   
   }




Also you can apply some filters like -

( ($PwdExpDays -eq '10') -or ($PwdExpDays -eq '5') -or ($PwdExpDays -eq '1') )
0
 

Author Comment

by:tnims
ID: 39966604
Hi Pramod_ubhe

I'm assuming I put this code into ps1 file.  If I just want to run this on 1 user account, how would I go about do that?  

I'm guessing the the -filter * will include all accounts on the domain?

Also, if I want to export the data to a csv file, how would i go about doing that.


Thank you both for the following info - much appreciated!
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39966618
Not a problem! :) did you manage to install the software and run it?
0
 

Author Comment

by:tnims
ID: 39967165
I was able to install the program, but could not find the Fine Grained password policy to determine when the account password would expire.
0
 
LVL 2

Expert Comment

by:Jorge Ocampo
ID: 39967238
AD Reports > Password Reports
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39968957
Here is the complete script (pls run it on the computer where AD module for powershell is installed) and yes for a single user, replace -Filter * with user logon name -
How to run - just copy paste in PS window or save as .ps1 and execute like normal scripts
 __________________________________________________________________________________________________

$ErrorActionPreference = "SilentlyContinue"
      Import-Module ActiveDirectory

            Function Get-PwdExpDays {
                   Process {
                        $obj = New-Object psobject
                        $obj | Add-Member NoteProperty UserName $_.GivenName
                              
                              $PasswordSetDate=$_.PasswordLastSet
                              $maxPasswordAgeTimeSpan = $null
                              $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
                              $today=get-date
                              $ExpiryDate=$passwordSetDate + $maxPasswordAgeTimeSpan
                              $daysleft=$ExpiryDate-$today
                              
                        $obj | Add-Member NoteProperty PwdExpDays ($daysleft.Days)
                        Write-Output $obj      
                  }
            }
                              
Get-ADUser -Filter * -properties PasswordLastSet,GivenName | Get-PwdExpDays | ConvertTo-Csv | Out-File C:\output.csv
0
 

Author Comment

by:tnims
ID: 39973474
When I try to run the script, no data is given.  It outputs the csv file but no date in the file.  Also, I receive a Get-PwdExpDays as not a recognized cmdlet, function, script file, or operable program.

***scratching my head***
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 39975696
sorry for late reply, i am also scratching my head :-(

Let me share you the details where i created and tested this script. I have a windows 2008r2 member server on which AD module for powershell is installed. i have tested this script on a test ou and with specific user name instead of -filter * as my domain has thousands of users.

When you open powershell and execute Import-Module ActiveDirectory command, do you get any error message? If no, are you able to execute Get-aduser command? I don't have access to my computer but I will test this again and let you know tomorrow.
0
 
LVL 10

Accepted Solution

by:
Pramod Ubhe earned 500 total points
ID: 39977837
Here are two simple commands once you execute  Import-Module ActiveDirectory -

for all users -

Get-ADUser -filter * -properties passwordlastset | select-object Name, passwordlastset | Export-csv -path c:\output.csv


for single users -

Get-ADUser <username> -properties passwordlastset | select Name, passwordlastset
0
 

Author Comment

by:tnims
ID: 39994278
Thank you for that reply.  Ok I got this to work- THANK YOU!   However, I had to make a little bit of a modification of your script:

Import-Module ActiveDirectory

Get-Aduser -Identity <username> -Properties passwordlastset | select name, passwordlastset


Boom! That gave me the info I needed -- Thank you for your help.

So, I have one last request to bump this up a few notches.   Is there a way to run this against a distribution group and output to a csv file?
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40001192
here you go; just put the user names in input.txt one per line -


Import-Module ActiveDirectory

Get-content c:\input.txt | ForEach-Object {Get-Aduser -Identity $_ -Properties passwordlastset | select name, passwordlastset} | Export-csv -path c:\output.csv
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40848203
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Join & Write a Comment

Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now