Solved

Powershell Password settings report

Posted on 2014-09-07
2
357 Views
Last Modified: 2014-09-08
Hi,

The security manager of the company I'm working at wants me to create a report that contains the following information about AD user attributes:
passwordneverexpires
passwordnotrequired
cannotchangepassword

I'm able to find users that have one of these attributes set, but it's getting difficult for me at the next point.
Some accounts do have two attributes set, like passwordneverexpires and cannotchangepassword
The security manager only wants to have accountnames to occur only one time in the report.
So, if an account has one of the three attributes set, it must occur one time in the report.
If an account has two, or three attributes set, it also must appear only once in the report.
I figured out all the possible combinations and am trying to get those in a script to have some reporting done.

I tried things like:
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$Users = $ou | foreach {get-aduser -searchbase $_ -Filter  {(Enabled -eq "True")}| select samaccountname | foreach {
$Username = $_.sAMAccountname
$ADuser = Get-ADUser -identity $Username –properties *
$Name = $AdUser.CN
$Logon = $AdUser.Samaccountname
$PWnotExp = $AdUser.PasswordNeverExpires
$PWnotReq =	$AdUser.PasswordNotRequired
$PWnotCha = $AdUser.CannotChangePassword

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $true) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "V"

 If (($PWnotExp -eq $true -and $PWnotCha -eq $true) -and $PWnotReq -eq $false) {
 $NotExp= "V"
 $NotCha= "V"
 $NotReq= "X"
 ""|Select @{N="Name";E={$Name}}`
						 ,@{N="Logon";E={$Username}}`
						 ,@{N="Password Expires";E={$NotExp}}`
						 ,@{N="Password Required";E={$NotReq}}`
						 ,@{N="Can change Password";E={$NotCha}}|`
 Sort-object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append
 
}	   
}			
}
}		

Open in new window


That doesn't work.
How can I make this work or does someone have another solution to get the values for this report ?
0
Comment
Question by:Loyall
2 Comments
 
LVL 39

Accepted Solution

by:
footech earned 500 total points
ID: 40309287
You should be able to shorten that quite a bit.  Without changing "true" and "false" to "V" and "X", you can have
$OU=@("OU=test1,OU=test,DC=domain,DC=com","OU=test2,OU=test,DC=domein,DC=com")
$ou | foreach {get-aduser -searchbase $_ -Filter {Enabled -eq "True"} –properties CN,PasswordNeverExpires,PasswordNotRequired,CannotChangePassword } |
 Select @{N="Name";E={$_.CN}},
        @{N="Logon";E={$_.samAccountName}},
        @{N="Password Expires";E={$_.PasswordNeverExpires}},
        @{N="Password Required";E={$_.PasswordNotRequired}},
        @{N="Can change Password";E={$_.CannotChangePassword}} |
 Sort-Object "Name" -descending | Export-Csv $Csv_Status -Delimiter ";" -nti -append

Open in new window


If you need some sorting along OU lines, you can just adjust what the foreach scriptblock contains.  If you must have X and V, then you can add some If statements like:
If ( $_.PasswordNeverExpires )
    { $PWnotExp = "V" }
    Else
    { $PWnotExp = "X" }

Open in new window

The above (with a little modification) could actually be done within the calculated property, it's just a little harder to read.
0
 
LVL 2

Author Closing Comment

by:Loyall
ID: 40309866
Thanks (again) Footech !
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question