Solved

Powershell Password settings report

Posted on 2014-09-07
2
363 Views
Last Modified: 2014-09-08
Hi,

The security manager of the company I'm working at wants me to create a report that contains the following information about AD user attributes:
passwordneverexpires
passwordnotrequired
cannotchangepassword

I'm able to find users that have one of these attributes set, but it's getting difficult for me at the next point.
Some accounts do have two attributes set, like passwordneverexpires and cannotchangepassword
The security manager only wants to have accountnames to occur only one time in the report.
So, if an account has one of the three attributes set, it must occur one time in the report.
If an account has two, or three attributes set, it also must appear only once in the report.
I figured out all the possible combinations and am trying to get those in a script to have some reporting done.

I tried things like:
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$Users = $ou | foreach {get-aduser -searchbase $_ -Filter  {(Enabled -eq "True")}| select samaccountname | foreach {
$Username = $_.sAMAccountname
$ADuser = Get-ADUser -identity $Username –properties *
$Name = $AdUser.CN
$Logon = $AdUser.Samaccountname
$PWnotExp = $AdUser.PasswordNeverExpires
$PWnotReq =	$AdUser.PasswordNotRequired
$PWnotCha = $AdUser.CannotChangePassword

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $true) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "V"

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $false) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "X"
 ""|Select @{N="Name";E={$Name}}`
						 ,@{N="Logon";E={$Username}}`
						 ,@{N="Password Expires";E={$NotExp}}`
						 ,@{N="Password Required";E={$NotReq}}`
						 ,@{N="Can change Password";E={$NotCha}}|`
 Sort-object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append
 
}	   
}			
}
}		

Open in new window


That doesn't work.
How can I make this work or does someone have another solution to get the values for this report ?
0
Comment
Question by:Loyall
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40309287
You should be able to shorten that quite a bit.  Without changing "true" and "false" to "V" and "X", you can have
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$ou | foreach {get-aduser -searchbase $_ -Filter {Enabled -eq "True"} –properties CN,PasswordNeverExpires,PasswordNotRequired,CannotChangePassword } |
 Select @{N="Name";E={$_.CN}},
        @{N="Logon";E={$_.samAccountName}},
        @{N="Password Expires";E={$_.PasswordNeverExpires}},
        @{N="Password Required";E={$_.PasswordNotRequired}},
        @{N="Can change Password";E={$_.CannotChangePassword}} |
 Sort-Object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append

Open in new window


If you need some sorting along OU lines, you can just adjust what the foreach scriptblock contains.  If you must have X and V, then you can add some If statements like:
If ( $_.PasswordNeverExpires )
    { $PWnotExp = "V" }
    Else
    { $PWnotExp = "X" }

Open in new window

The above (with a little modification) could actually be done within the calculated property, it's just a little harder to read.
0
 
LVL 2

Author Closing Comment

by:Loyall
ID: 40309866
Thanks (again) Footech !
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Let's recap what we learned from yesterday's Skyport Systems webinar.
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question