Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, October 1, 2015 8:32 AM
Hi all,
I have managed to find a script to pull out various info about local users including password ages.
My plan is to email local accounts to tell them there password is about to expire.
Im not the best when it comes to powershell so bare with me :)
I need somebody to guide me in the right direction.
What i want is to list all LOCAL users that have a password age over 85 days and to then go on to email them
Please help!
See below for the script i currently have:
Param
(
[Parameter(Position=0,Mandatory=$false)]
[ValidateNotNullorEmpty()]
[Alias('cn')][String[]]$ComputerName=$Env:COMPUTERNAME,
[Parameter(Position=1,Mandatory=$false)]
[Alias('un')][String[]]$AccountName,
[Parameter(Position=2,Mandatory=$false)]
[Alias('cred')][System.Management.Automation.PsCredential]$Credential
)
$Obj = @()
$now = Get-Date
Foreach($Computer in $ComputerName)
{
If($Credential)
{
$AllLocalAccounts = Get-WmiObject -Class Win32_UserAccount -Namespace "root\cimv2" `
-Filter "LocalAccount='$True'" -ComputerName $Computer -Credential $Credential -ErrorAction Stop
}
else
{
$AllLocalAccounts = Get-WmiObject -Class Win32_UserAccount -Namespace "root\cimv2" `
-Filter "LocalAccount='$True'" -ComputerName $Computer -ErrorAction Stop
}
Foreach($LocalAccount in $AllLocalAccounts)
{
$rawPWAge = ([adsi]"WinNT://$computer/$($LocalAccount.Name),user").PasswordAge.Value
$Obj = $AllLocalAccounts | ForEach-Object {
$user = ([adsi]"WinNT://$computer/$($_.Name),user")
$pwAge = $user.PasswordAge.Value
$maxPwAge = $user.MaxPasswordAge.Value
$pwLastSet = $now.AddSeconds(-$pwAge)
New-Object -TypeName PSObject -Property @{
'Name' = $_.Name
'Full Name' = $_.FullName
'LockOut' = $_.LockOut
'Password Expires' = $_.PasswordExpires
'Password Required' = $_.PasswordRequired
'Account Type' = $_.AccountType
'Domain' = $_.Domain
'Password Last Set' = $pwLastSet
'Password Age' = ($now - $pwLastSet).Days
'Password Expiry Date' = $now.AddSeconds($maxPwAge - $pwAge)
'Description' = $_.Description
}
}
}
If($AccountName)
{
Foreach($Account in $AccountName)
{
$Obj|Where-Object{$_.Name -like "$Account"}
}
}
else
{
$Obj
}
}
All replies (8)
Friday, October 2, 2015 7:55 PM ✅Answered
Hello Leigham,
An interesting thread and script for sure. But I think it is over complicating what you are trying to do.
If you are trying to get the date the user last changed their password.
Get-ADUser <user> -property pwdlastset
The property pwdlastset can be converted and calculated very easily to fin if it is old than x days...
Then some calculation. Much of what you want is in the script already... but, it is not using the AD cmdlets which will make life much, much easier... here is a good example... http://ps1scripting.blogspot.com/2012/07/active-directory-user-password.html
He makes it simple... get passwordlastset and calculate when it will expire (that data is already in AD by the way - it is a constructed attribute called... msDS-userPasswordExpiryTimeComputed).
Either way, you get users, with the attributes you need, loop through just like in the script above... (foreach $user in $users){blah} and calculate... if expiry time is < 85 days from today then send email...
Kevin Sullivan - Program Manager
Thursday, October 1, 2015 8:48 AM
What is the question?
We do not modify scripts found on the Internet. We can answer specific questions about a script you have written. If you do not knowhow to write a script then use the learning resources to learn or you can contact a consultant to help you.
You can also post requests for custom scripts at the bottom of the page her: https://gallery.technet.microsoft.com/scriptcenter/site/requests
\(ツ)_/
Thursday, October 1, 2015 9:02 AM
I cant seem to work out what cmd i need to input to show the users with password ages of 85 days or more. Then id like to email them.
Thursday, October 1, 2015 9:03 AM
Use Send-MailMessage.
What error are you getting?
\(ツ)_/
Thursday, October 1, 2015 9:12 AM
I want to know which local user accounts have a password age of 85 days or more.
the email part i can do myself.
i just need to say "if (localuser) password age = -ge 85
write-host (username)
then i want to send a mail to that user
Thursday, October 1, 2015 9:29 AM
The script already calculates the password age. If you are having issues with it then post to the author with your issues. We cannot fix scripts fund on the Internet for you.
The script poste returns "Password Age" as a property so I am not suer what your question is referring to.
\(ツ)_/
Thursday, October 1, 2015 9:38 AM
https://gallery.technet.microsoft.com/scriptcenter/Script-to-retrieve-all-b70a1dba/view/Discussions
Thursday, October 1, 2015 9:43 AM
Yes - post your issues to that page. The author will help you with the script.
\(ツ)_/