Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 367
  • Last Modified:

Powershell Password settings report

Hi,

The security manager of the company I'm working at wants me to create a report that contains the following information about AD user attributes:
passwordneverexpires
passwordnotrequired
cannotchangepassword

I'm able to find users that have one of these attributes set, but it's getting difficult for me at the next point.
Some accounts do have two attributes set, like passwordneverexpires and cannotchangepassword
The security manager only wants to have accountnames to occur only one time in the report.
So, if an account has one of the three attributes set, it must occur one time in the report.
If an account has two, or three attributes set, it also must appear only once in the report.
I figured out all the possible combinations and am trying to get those in a script to have some reporting done.

I tried things like:
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$Users = $ou | foreach {get-aduser -searchbase $_ -Filter  {(Enabled -eq "True")}| select samaccountname | foreach {
$Username = $_.sAMAccountname
$ADuser = Get-ADUser -identity $Username –properties *
$Name = $AdUser.CN
$Logon = $AdUser.Samaccountname
$PWnotExp = $AdUser.PasswordNeverExpires
$PWnotReq =	$AdUser.PasswordNotRequired
$PWnotCha = $AdUser.CannotChangePassword

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $true) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "V"

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $false) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "X"
 ""|Select @{N="Name";E={$Name}}`
						 ,@{N="Logon";E={$Username}}`
						 ,@{N="Password Expires";E={$NotExp}}`
						 ,@{N="Password Required";E={$NotReq}}`
						 ,@{N="Can change Password";E={$NotCha}}|`
 Sort-object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append
 
}	   
}			
}
}		

Open in new window


That doesn't work.
How can I make this work or does someone have another solution to get the values for this report ?
0
Loyall
Asked:
Loyall
1 Solution
 
footechCommented:
You should be able to shorten that quite a bit.  Without changing "true" and "false" to "V" and "X", you can have
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$ou | foreach {get-aduser -searchbase $_ -Filter {Enabled -eq "True"} –properties CN,PasswordNeverExpires,PasswordNotRequired,CannotChangePassword } |
 Select @{N="Name";E={$_.CN}},
        @{N="Logon";E={$_.samAccountName}},
        @{N="Password Expires";E={$_.PasswordNeverExpires}},
        @{N="Password Required";E={$_.PasswordNotRequired}},
        @{N="Can change Password";E={$_.CannotChangePassword}} |
 Sort-Object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append

Open in new window


If you need some sorting along OU lines, you can just adjust what the foreach scriptblock contains.  If you must have X and V, then you can add some If statements like:
If ( $_.PasswordNeverExpires )
    { $PWnotExp = "V" }
    Else
    { $PWnotExp = "X" }

Open in new window

The above (with a little modification) could actually be done within the calculated property, it's just a little harder to read.
0
 
LoyallAuthor Commented:
Thanks (again) Footech !
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Tackle projects and never again get stuck behind a technical roadblock.
Join Now