Solved

Powershell Password settings report

Posted on 2014-09-07
2
360 Views
Last Modified: 2014-09-08
Hi,

The security manager of the company I'm working at wants me to create a report that contains the following information about AD user attributes:
passwordneverexpires
passwordnotrequired
cannotchangepassword

I'm able to find users that have one of these attributes set, but it's getting difficult for me at the next point.
Some accounts do have two attributes set, like passwordneverexpires and cannotchangepassword
The security manager only wants to have accountnames to occur only one time in the report.
So, if an account has one of the three attributes set, it must occur one time in the report.
If an account has two, or three attributes set, it also must appear only once in the report.
I figured out all the possible combinations and am trying to get those in a script to have some reporting done.

I tried things like:
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$Users = $ou | foreach {get-aduser -searchbase $_ -Filter  {(Enabled -eq "True")}| select samaccountname | foreach {
$Username = $_.sAMAccountname
$ADuser = Get-ADUser -identity $Username –properties *
$Name = $AdUser.CN
$Logon = $AdUser.Samaccountname
$PWnotExp = $AdUser.PasswordNeverExpires
$PWnotReq =	$AdUser.PasswordNotRequired
$PWnotCha = $AdUser.CannotChangePassword

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $true) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "V"

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $false) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "X"
 ""|Select @{N="Name";E={$Name}}`
						 ,@{N="Logon";E={$Username}}`
						 ,@{N="Password Expires";E={$NotExp}}`
						 ,@{N="Password Required";E={$NotReq}}`
						 ,@{N="Can change Password";E={$NotCha}}|`
 Sort-object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append
 
}	   
}			
}
}		

Open in new window


That doesn't work.
How can I make this work or does someone have another solution to get the values for this report ?
0
Comment
Question by:Loyall
2 Comments
 
LVL 40

Accepted Solution

by:
footech earned 500 total points
ID: 40309287
You should be able to shorten that quite a bit.  Without changing "true" and "false" to "V" and "X", you can have
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$ou | foreach {get-aduser -searchbase $_ -Filter {Enabled -eq "True"} –properties CN,PasswordNeverExpires,PasswordNotRequired,CannotChangePassword } |
 Select @{N="Name";E={$_.CN}},
        @{N="Logon";E={$_.samAccountName}},
        @{N="Password Expires";E={$_.PasswordNeverExpires}},
        @{N="Password Required";E={$_.PasswordNotRequired}},
        @{N="Can change Password";E={$_.CannotChangePassword}} |
 Sort-Object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append

Open in new window


If you need some sorting along OU lines, you can just adjust what the foreach scriptblock contains.  If you must have X and V, then you can add some If statements like:
If ( $_.PasswordNeverExpires )
    { $PWnotExp = "V" }
    Else
    { $PWnotExp = "X" }

Open in new window

The above (with a little modification) could actually be done within the calculated property, it's just a little harder to read.
0
 
LVL 2

Author Closing Comment

by:Loyall
ID: 40309866
Thanks (again) Footech !
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question