From b46cf1cbc71c5c01e665db0edfaecccc6ff6d3e7 Mon Sep 17 00:00:00 2001 From: Jaap Brasser Date: Wed, 2 Nov 2016 10:57:43 +0100 Subject: [PATCH] Added -SearchBase switch to limit search --- .../Get-UnchangedPwdlastset.ps1 | 46 +++++++++++++++---- 1 file changed, 36 insertions(+), 10 deletions(-) diff --git a/Get-UnchangedPwdlastset/Get-UnchangedPwdlastset.ps1 b/Get-UnchangedPwdlastset/Get-UnchangedPwdlastset.ps1 index 384acf2..3dfe2c5 100644 --- a/Get-UnchangedPwdlastset/Get-UnchangedPwdlastset.ps1 +++ b/Get-UnchangedPwdlastset/Get-UnchangedPwdlastset.ps1 @@ -6,29 +6,55 @@ Active Directory Script that queries for user accounts that have unchanged passw This script will return the samaccountname, pwdlastset and if an account is currently enabled or disabled. This script is part of the Active Directory Friday section of my blog. .NOTES -Name: Get-UnchangedPwdLastSet.ps1 -Author: Jaap Brasser +Name: Get-UnchangedPwdLastSet.ps1 +Author: Jaap Brasser DateCreated: 2013-07-26 DateUpdated: 2015-09-21 -Site: http://www.jaapbrasser.com +Site: http://www.jaapbrasser.com .LINK http://www.jaapbrasser.com/active-directory-friday-find-user-accounts-that-have-not-changed-password-in-90-days/ .PARAMETER PwdAge -The number of days since the password has been changed. This value defaults to 90. +The number of days since the password has been changed. This value defaults to 90 + +.PARAMETER SearchBase +The LDAP path of the OU that you would like to limit the search to + +.EXAMPLE +.\Get-UnchangedPwdLastSet.ps1 + +Description +----------- +Returns the users that have unchanged passwords for longer than 90 days + +.EXAMPLE +.\Get-UnchangedPwdLastSet.ps1 -PwdAge 180 -SearchBase 'LDAP://OU=Business,DC=jaapbrasser,DC=com' + +Description +----------- +Returns the users with unchanged passwords for longer than 180 in the Business OU. This is a recursive search #> param ( - $PwdAge = 90 + [int] $PwdAge = 90, + [ValidatePattern('(?# OU Path should start with "LDAP://")^LDAP://.*')] + [string] $SearchBase ) $PwdDate = (Get-Date).AddDays(-$PwdAge).ToFileTime() -(New-Object DirectoryServices.DirectorySearcher -Property @{ - Filter = "(&(objectclass=user)(objectcategory=person)(pwdlastset<=$PwdDate))" + +$SearcherProps = @{ + Filter = "(&(objectclass=user)(objectcategory=person)(pwdlastset<=$PwdDate))" PageSize = 500 -}).FindAll() | ForEach-Object { +} + +if ($SearchBase) { + $SearcherProps.SearchRoot = $SearchBase +} + +(New-Object DirectoryServices.DirectorySearcher -Property $SearcherProps).FindAll() | ForEach-Object { New-Object -TypeName PSCustomObject -Property @{ samaccountname = $_.Properties.samaccountname -join '' - pwdlastset = [datetime]::FromFileTime([int64]($_.Properties.pwdlastset -join '')) - enabled = -not [boolean]([int64]($_.properties.useraccountcontrol -join '') -band 2) + pwdlastset = [datetime]::FromFileTime([long](-join $_.Properties.pwdlastset)) + enabled = -not [bool]([long](-join $_.properties.useraccountcontrol) -band 2) } } \ No newline at end of file