| Author | Messages | |
seag33k
Posts:88
 | | 08/18/2010 6:34 PM |
| I am looking for a PS script or two that I can run across my domain to see
who's passwords are getting ready to expire. Then I'd like to build on that
so it can email the person with a reminder who is 10 or so days out. For
some reason users just don't see the reminder when they log in 
Thanks,
Eric
| | | |
| bsonposh
Posts:408
| | 08/18/2010 7:01 PM |
| http://poshcode.org/2088
On Wed, Aug 18, 2010 at 1:33 PM, Eric <seag33k@gmail.com> wrote:
> I am looking for a PS script or two that I can run across my domain to see
> who's passwords are getting ready to expire. Then I'd like to build on that
> so it can email the person with a reminder who is 10 or so days out. For
> some reason users just don't see the reminder when they log in
>
> Thanks,
> Eric
>
| | | |
| pbbergs
Posts:281
| | 08/18/2010 7:03 PM |
| Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has one on his blog. I don't know if it is in Powershell or not. I keep threatening to rewrite ours to Powershell from Perl Script but just have to much going on. I would post it, but I am not the author.
http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
Thanks
Paul
pbergson@allete.com<mailto:pbergson@allete.com> (e-mail)
pbbergs@msn.com<mailto:pbbergs@msn.com> (IM)
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Wednesday, August 18, 2010 12:34 PM
To: activedir
Subject: [ActiveDir] Password Reminders - Powershell Script
I am looking for a PS script or two that I can run across my domain to see who's passwords are getting ready to expire. Then I'd like to build on that so it can email the person with a reminder who is 10 or so days out. For some reason users just don't see the reminder when they log in
Thanks,
Eric
| | | |
| seag33k
Posts:88
| | 08/18/2010 7:13 PM |
| Thanks for the two resources. Is there a way to quickly use Powershell to
just query AD for account expiration dates?
Thanks,
Eric
On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <pbergson@allete.com
> wrote:
> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
> one on his blog. I don’t know if it is in Powershell or not. I keep
> threatening to rewrite ours to Powershell from Perl Script but just have to
> much going on. I would post it, but I am not the author.
>
>
>
>
> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>
>
>
>
> Thanks
>
> Paul
> pbergson@allete.com (e-mail)
> pbbergs@msn.com (IM)
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
> *Sent:* Wednesday, August 18, 2010 12:34 PM
> *To:* activedir
> *Subject:* [ActiveDir] Password Reminders - Powershell Script
>
>
>
> I am looking for a PS script or two that I can run across my domain to see
> who's passwords are getting ready to expire. Then I'd like to build on that
> so it can email the person with a reminder who is 10 or so days out. For
> some reason users just don't see the reminder when they log in
>
> Thanks,
> Eric
>
| | | |
| Chris-Dent
Posts:114
| | 08/18/2010 7:21 PM |
| In a way. Quest's CmdLets will give you the easiest interface (in my
opinion). This shows when they were last set.
Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet
And you can have it figure out when it's due to change with:
$MaxAge = 120
Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet,
`
@{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
You can pull the Maximum Age from AD as well to avoid hard-coding it.
Chris
On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
> Thanks for the two resources. Is there a way to quickly use Powershell to
> just query AD for account expiration dates?
>
> Thanks,
> Eric
>
>
> On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <
> pbergson@allete.com> wrote:
>
>> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
>> one on his blog. I don’t know if it is in Powershell or not. I keep
>> threatening to rewrite ours to Powershell from Perl Script but just have to
>> much going on. I would post it, but I am not the author.
>>
>>
>>
>>
>> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>>
>>
>>
>>
>> Thanks
>>
>> Paul
>> pbergson@allete.com (e-mail)
>> pbbergs@msn.com (IM)
>>
>>
>>
>> *From:* activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
>> *Sent:* Wednesday, August 18, 2010 12:34 PM
>> *To:* activedir
>> *Subject:* [ActiveDir] Password Reminders - Powershell Script
>>
>>
>>
>> I am looking for a PS script or two that I can run across my domain to see
>> who's passwords are getting ready to expire. Then I'd like to build on that
>> so it can email the person with a reminder who is 10 or so days out. For
>> some reason users just don't see the reminder when they log in
>>
>> Thanks,
>> Eric
>>
>
>
| | | |
| bsonposh
Posts:408
| | 08/18/2010 7:21 PM |
| Both builtin AD module (Win7/2008R2) and the free Quest AD cmdlets have
cmdlets to get this information
On Wed, Aug 18, 2010 at 2:11 PM, Eric <seag33k@gmail.com> wrote:
> Thanks for the two resources. Is there a way to quickly use Powershell to
> just query AD for account expiration dates?
>
> Thanks,
> Eric
>
>
> On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <
> pbergson@allete.com> wrote:
>
>> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
>> one on his blog. I don’t know if it is in Powershell or not. I keep
>> threatening to rewrite ours to Powershell from Perl Script but just have to
>> much going on. I would post it, but I am not the author.
>>
>>
>>
>>
>> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>>
>>
>>
>>
>> Thanks
>>
>> Paul
>> pbergson@allete.com (e-mail)
>> pbbergs@msn.com (IM)
>>
>>
>>
>> *From:* activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
>> *Sent:* Wednesday, August 18, 2010 12:34 PM
>> *To:* activedir
>> *Subject:* [ActiveDir] Password Reminders - Powershell Script
>>
>>
>>
>> I am looking for a PS script or two that I can run across my domain to see
>> who's passwords are getting ready to expire. Then I'd like to build on that
>> so it can email the person with a reminder who is 10 or so days out. For
>> some reason users just don't see the reminder when they log in
>>
>> Thanks,
>> Eric
>>
>
>
| | | |
| bdesmond
Posts:977
| | 08/18/2010 7:30 PM |
| Isn't this pretty inefficient? If I have 100K users and 500 of them expire each day, I'm going to pull the whole set of 100K down and filter client side if I understand this right. Seems like a bad plan if so...
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris Dent
Sent: Wednesday, August 18, 2010 1:20 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Password Reminders - Powershell Script
In a way. Quest's CmdLets will give you the easiest interface (in my opinion). This shows when they were last set.
Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet
And you can have it figure out when it's due to change with:
$MaxAge = 120
Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet, `
@{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
You can pull the Maximum Age from AD as well to avoid hard-coding it.
Chris
On 18 August 2010 19:11, Eric <seag33k@gmail.com<mailto:seag33k@gmail.com>> wrote:
Thanks for the two resources. Is there a way to quickly use Powershell to just query AD for account expiration dates?
Thanks,
Eric
On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <pbergson@allete.com<mailto:pbergson@allete.com>> wrote:
Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has one on his blog. I don't know if it is in Powershell or not. I keep threatening to rewrite ours to Powershell from Perl Script but just have to much going on. I would post it, but I am not the author.
http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
Thanks
Paul
pbergson@allete.com<mailto:pbergson@allete.com> (e-mail)
pbbergs@msn.com<mailto:pbbergs@msn.com> (IM)
From: activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org> [mailto:activedir-owner@mail.activedir.org<mailto:activedir-owner@mail.activedir.org>] On Behalf Of Eric
Sent: Wednesday, August 18, 2010 12:34 PM
To: activedir
Subject: [ActiveDir] Password Reminders - Powershell Script
I am looking for a PS script or two that I can run across my domain to see who's passwords are getting ready to expire. Then I'd like to build on that so it can email the person with a reminder who is 10 or so days out. For some reason users just don't see the reminder when they log in
Thanks,
Eric
| | | |
| seag33k
Posts:88
| | 08/18/2010 7:32 PM |
| Thanks! I just ran that but don't get any data on the AccountExpires
column. Could this be due to the permissions my account has? I have two
OU's with users. One of them I can change passwords with my account and the
other I cannot.
Thanks!
Eric
On Wed, Aug 18, 2010 at 11:20 AM, Chris Dent <chris@indented.co.uk> wrote:
> Ack, sorry, accountExpires..
>
> Get-QADUser -IncludedProperties accountExpires | Select-Object Name,
> accountExpires
>
> Chris
>
>
> On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
>
>> Thanks for the two resources. Is there a way to quickly use Powershell to
>> just query AD for account expiration dates?
>>
>> Thanks,
>> Eric
>>
>>
>> On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <
>> pbergson@allete.com> wrote:
>>
>>> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong)
>>> has one on his blog. I don’t know if it is in Powershell or not. I keep
>>> threatening to rewrite ours to Powershell from Perl Script but just have to
>>> much going on. I would post it, but I am not the author.
>>>
>>>
>>>
>>>
>>> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>>>
>>>
>>>
>>>
>>> Thanks
>>>
>>> Paul
>>> pbergson@allete.com (e-mail)
>>> pbbergs@msn.com (IM)
>>>
>>>
>>>
>>> *From:* activedir-owner@mail.activedir.org [mailto:
>>> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
>>> *Sent:* Wednesday, August 18, 2010 12:34 PM
>>> *To:* activedir
>>> *Subject:* [ActiveDir] Password Reminders - Powershell Script
>>>
>>>
>>>
>>> I am looking for a PS script or two that I can run across my domain to
>>> see who's passwords are getting ready to expire. Then I'd like to build on
>>> that so it can email the person with a reminder who is 10 or so days out.
>>> For some reason users just don't see the reminder when they log in
>>>
>>> Thanks,
>>> Eric
>>>
>>
>>
>
| | | |
| bsonposh
Posts:408
| | 08/18/2010 7:34 PM |
| Agreed.
On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond <brian@briandesmond.com>wrote:
> *Isn’t this pretty inefficient? If I have 100K users and 500 of them
> expire each day, I’m going to pull the whole set of 100K down and filter
> client side if I understand this right. Seems like a bad plan if so…*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Chris Dent
> *Sent:* Wednesday, August 18, 2010 1:20 PM
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Password Reminders - Powershell Script
>
>
>
>
> In a way. Quest's CmdLets will give you the easiest interface (in my
> opinion). This shows when they were last set.
>
> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet
>
> And you can have it figure out when it's due to change with:
>
> $MaxAge = 120
> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
> PwdLastSet, `
> @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
>
> You can pull the Maximum Age from AD as well to avoid hard-coding it.
>
> Chris
>
> On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
>
> Thanks for the two resources. Is there a way to quickly use Powershell to
> just query AD for account expiration dates?
>
> Thanks,
> Eric
>
>
>
> On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <
> pbergson@allete.com> wrote:
>
> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
> one on his blog. I don’t know if it is in Powershell or not. I keep
> threatening to rewrite ours to Powershell from Perl Script but just have to
> much going on. I would post it, but I am not the author.
>
>
>
>
> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>
>
>
>
> Thanks
>
> Paul
> pbergson@allete.com (e-mail)
> pbbergs@msn.com (IM)
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
> *Sent:* Wednesday, August 18, 2010 12:34 PM
> *To:* activedir
> *Subject:* [ActiveDir] Password Reminders - Powershell Script
>
>
>
> I am looking for a PS script or two that I can run across my domain to see
> who's passwords are getting ready to expire. Then I'd like to build on that
> so it can email the person with a reminder who is 10 or so days out. For
> some reason users just don't see the reminder when they log in
>
> Thanks,
> Eric
>
>
>
>
>
| | | |
| Chris-Dent
Posts:114
| | 08/18/2010 7:43 PM |
| It can be incorporated into an LDAP filter, can't test, but..
Accounts that expire today or have expired:
$MaxAge = 90
$LdapFilter =
"(&(pwdLastSet<=$((Get-Date).AddDays(-$MaxAge).ToFileTime()))(!(pwdLastSet=0)))"
Get-QADUser -LdapFilter $LdapFilter
Or something similar 
Chris
On 18 August 2010 19:31, Brandon Shell <tshell@gmail.com> wrote:
> Agreed.
>
>
> On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond <brian@briandesmond.com>wrote:
>
>> *Isn’t this pretty inefficient? If I have 100K users and 500 of them
>> expire each day, I’m going to pull the whole set of 100K down and filter
>> client side if I understand this right. Seems like a bad plan if so…*
>>
>> * *
>>
>> *Thanks,*
>>
>> *Brian Desmond*
>>
>> *brian@briandesmond.com*
>>
>> * *
>>
>> *c – 312.731.3132*
>>
>> * *
>>
>> *From:* activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] *On Behalf Of *Chris Dent
>> *Sent:* Wednesday, August 18, 2010 1:20 PM
>> *To:* activedir@mail.activedir.org
>> *Subject:* Re: [ActiveDir] Password Reminders - Powershell Script
>>
>>
>>
>>
>> In a way. Quest's CmdLets will give you the easiest interface (in my
>> opinion). This shows when they were last set.
>>
>> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
>> PwdLastSet
>>
>> And you can have it figure out when it's due to change with:
>>
>> $MaxAge = 120
>> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
>> PwdLastSet, `
>> @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
>>
>> You can pull the Maximum Age from AD as well to avoid hard-coding it.
>>
>> Chris
>>
>> On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
>>
>> Thanks for the two resources. Is there a way to quickly use Powershell to
>> just query AD for account expiration dates?
>>
>> Thanks,
>> Eric
>>
>>
>>
>> On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <
>> pbergson@allete.com> wrote:
>>
>> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
>> one on his blog. I don’t know if it is in Powershell or not. I keep
>> threatening to rewrite ours to Powershell from Perl Script but just have to
>> much going on. I would post it, but I am not the author.
>>
>>
>>
>>
>> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>>
>>
>>
>>
>> Thanks
>>
>> Paul
>> pbergson@allete.com (e-mail)
>> pbbergs@msn.com (IM)
>>
>>
>>
>> *From:* activedir-owner@mail.activedir.org [mailto:
>> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
>> *Sent:* Wednesday, August 18, 2010 12:34 PM
>> *To:* activedir
>> *Subject:* [ActiveDir] Password Reminders - Powershell Script
>>
>>
>>
>> I am looking for a PS script or two that I can run across my domain to see
>> who's passwords are getting ready to expire. Then I'd like to build on that
>> so it can email the person with a reminder who is 10 or so days out. For
>> some reason users just don't see the reminder when they log in
>>
>> Thanks,
>> Eric
>>
>>
>>
>>
>>
>
>
| | | |
| skradel
Posts:177
| | 08/18/2010 7:45 PM |
| accountExpires is an 8-byte integer, conforming to the Windows
Filetime format of 100ns intervals since January 1, 1601. (Wheeee!)
The values 0 and 0x7FFFFFFFFFFFFFFF are special, equivalent indicators
for "never expires."
You can query AD for soon-expiring accounts thusly:
(&(objectCategory=person)(accountExpires>=longNumber1)(accountExpires<=longNumber2))
...where longNumber1 is today (or maybe yesterday) and longNumber2 is
a week from now. I think the "Hey Scripting Guy" column has an
article on building Filetime, and it's easy to get from
System.DateTime in .NET. I assume you can use DateTime in
Powershell... being a C# guy I find Powershell incredibly strange and
don't touch the stuff.
My own approach is to have FIM sync a variety of user data to a SQL
database continually, with real datetime columns, and query that
instead.
--Steve
On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond <brian@briandesmond.com> wrote:
> Isn’t this pretty inefficient? If I have 100K users and 500 of them expire
> each day, I’m going to pull the whole set of 100K down and filter client
> side if I understand this right. Seems like a bad plan if so…
>
>
>
> Thanks,
>
> Brian Desmond
>
> brian@briandesmond.com
>
>
>
> c – 312.731.3132
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris Dent
> Sent: Wednesday, August 18, 2010 1:20 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Password Reminders - Powershell Script
>
>
>
> In a way. Quest's CmdLets will give you the easiest interface (in my
> opinion). This shows when they were last set.
>
> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet
>
> And you can have it figure out when it's due to change with:
>
> $MaxAge = 120
> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet,
> `
> @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
>
> You can pull the Maximum Age from AD as well to avoid hard-coding it.
>
> Chris
>
> On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
>
> Thanks for the two resources. Is there a way to quickly use Powershell to
> just query AD for account expiration dates?
>
> Thanks,
> Eric
>
>
>
> On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE)
> <pbergson@allete.com> wrote:
>
> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
> one on his blog. I don’t know if it is in Powershell or not. I keep
> threatening to rewrite ours to Powershell from Perl Script but just have to
> much going on. I would post it, but I am not the author.
>
>
>
> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>
>
>
> Thanks
>
> Paul
> pbergson@allete.com (e-mail)
> pbbergs@msn.com (IM)
>
>
>
> From: activedir-owner@mail.activedir.org
> [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
> Sent: Wednesday, August 18, 2010 12:34 PM
> To: activedir
> Subject: [ActiveDir] Password Reminders - Powershell Script
>
>
>
> I am looking for a PS script or two that I can run across my domain to see
> who's passwords are getting ready to expire. Then I'd like to build on that
> so it can email the person with a reminder who is 10 or so days out. For
> some reason users just don't see the reminder when they log in
>
> Thanks,
> Eric
>
>
>
>
| | | |
| seag33k
Posts:88
| | 08/18/2010 7:47 PM |
| I am not a PS expert and only have 100 users. At this point I am getting
more familiar with powershell scripting so these short one liners are
helping get a feel for what PS can do and eventually develop more advanced
scripts. Thanks for the help!
Eric
On Wed, Aug 18, 2010 at 11:29 AM, Brian Desmond <brian@briandesmond.com>wrote:
> *Isn’t this pretty inefficient? If I have 100K users and 500 of them
> expire each day, I’m going to pull the whole set of 100K down and filter
> client side if I understand this right. Seems like a bad plan if so…*
>
> * *
>
> *Thanks,*
>
> *Brian Desmond*
>
> *brian@briandesmond.com*
>
> * *
>
> *c – 312.731.3132*
>
> * *
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Chris Dent
> *Sent:* Wednesday, August 18, 2010 1:20 PM
> *To:* activedir@mail.activedir.org
> *Subject:* Re: [ActiveDir] Password Reminders - Powershell Script
>
>
>
>
> In a way. Quest's CmdLets will give you the easiest interface (in my
> opinion). This shows when they were last set.
>
> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet
>
> And you can have it figure out when it's due to change with:
>
> $MaxAge = 120
> Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
> PwdLastSet, `
> @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
>
> You can pull the Maximum Age from AD as well to avoid hard-coding it.
>
> Chris
>
> On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
>
> Thanks for the two resources. Is there a way to quickly use Powershell to
> just query AD for account expiration dates?
>
> Thanks,
> Eric
>
>
>
> On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE) <
> pbergson@allete.com> wrote:
>
> Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
> one on his blog. I don’t know if it is in Powershell or not. I keep
> threatening to rewrite ours to Powershell from Perl Script but just have to
> much going on. I would post it, but I am not the author.
>
>
>
>
> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>
>
>
>
> Thanks
>
> Paul
> pbergson@allete.com (e-mail)
> pbbergs@msn.com (IM)
>
>
>
> *From:* activedir-owner@mail.activedir.org [mailto:
> activedir-owner@mail.activedir.org] *On Behalf Of *Eric
> *Sent:* Wednesday, August 18, 2010 12:34 PM
> *To:* activedir
> *Subject:* [ActiveDir] Password Reminders - Powershell Script
>
>
>
> I am looking for a PS script or two that I can run across my domain to see
> who's passwords are getting ready to expire. Then I'd like to build on that
> so it can email the person with a reminder who is 10 or so days out. For
> some reason users just don't see the reminder when they log in
>
> Thanks,
> Eric
>
>
>
>
>
| | | |
| michael1
Posts:426
| | 08/18/2010 7:49 PM |
| Not in PowerShell - but it's widely deployed.
<http://theessentialexchange.com/blogs/michael/archive/2007/11/13/sending-an
-e-mail-to-users-whose-password-is-about-to-expire.aspx>
I keep meaning to rewrite in PowerShell, but "it ain't broke".
Regards,
Michael B. Smith
Consultant and Exchange MVP
http://TheEssentialExchange.com
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Wednesday, August 18, 2010 1:34 PM
To: activedir
Subject: [ActiveDir] Password Reminders - Powershell Script
I am looking for a PS script or two that I can run across my domain to see
who's passwords are getting ready to expire. Then I'd like to build on that
so it can email the person with a reminder who is 10 or so days out. For
some reason users just don't see the reminder when they log in
Thanks,
Eric
| | | |
| Chris-Dent
Posts:114
| | 08/18/2010 7:55 PM |
| Just for interest.
Get-Date gives you a System.DateTime object, which will allow access to the
ToFileTime method. The FromDateTime static method is also available in PS.
The syntax for calling static methods differs slightly from C#, it's:
[System.DateTime]::FromFileTime($long)
System is implicit, it can be dropped from the command, giving:
[DateTime]::FromFileTime($long)
In a lot of cases you can simply fix up the syntax from C# and end up with
PS. There are few things PS can't do with .NET that C# can.
Chris
On 18 August 2010 19:40, Steve Kradel <skradel@zetetic.net> wrote:
> accountExpires is an 8-byte integer, conforming to the Windows
> Filetime format of 100ns intervals since January 1, 1601. (Wheeee!)
> The values 0 and 0x7FFFFFFFFFFFFFFF are special, equivalent indicators
> for "never expires."
>
> You can query AD for soon-expiring accounts thusly:
>
>
> (&(objectCategory=person)(accountExpires>=longNumber1)(accountExpires<=longNumber2))
>
> ...where longNumber1 is today (or maybe yesterday) and longNumber2 is
> a week from now. I think the "Hey Scripting Guy" column has an
> article on building Filetime, and it's easy to get from
> System.DateTime in .NET. I assume you can use DateTime in
> Powershell... being a C# guy I find Powershell incredibly strange and
> don't touch the stuff.
>
> My own approach is to have FIM sync a variety of user data to a SQL
> database continually, with real datetime columns, and query that
> instead.
>
> --Steve
>
>
| | | |
| bsonposh
Posts:408
| | 08/18/2010 8:03 PM |
| FTR... AccountExpires is not the same as Password Expires. If you just want
to see when the "Account" expires the Quest cmdlets have built in paramaters
for that
Get-QADUser -AccountExpiresBefore
Get-QADUser -AccountExpiresAfter
On Wed, Aug 18, 2010 at 2:40 PM, Steve Kradel <skradel@zetetic.net> wrote:
> accountExpires is an 8-byte integer, conforming to the Windows
> Filetime format of 100ns intervals since January 1, 1601. (Wheeee!)
> The values 0 and 0x7FFFFFFFFFFFFFFF are special, equivalent indicators
> for "never expires."
>
> You can query AD for soon-expiring accounts thusly:
>
>
> (&(objectCategory=person)(accountExpires>=longNumber1)(accountExpires<=longNumber2))
>
> ...where longNumber1 is today (or maybe yesterday) and longNumber2 is
> a week from now. I think the "Hey Scripting Guy" column has an
> article on building Filetime, and it's easy to get from
> System.DateTime in .NET. I assume you can use DateTime in
> Powershell... being a C# guy I find Powershell incredibly strange and
> don't touch the stuff.
>
> My own approach is to have FIM sync a variety of user data to a SQL
> database continually, with real datetime columns, and query that
> instead.
>
> --Steve
>
> On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
> > Isn’t this pretty inefficient? If I have 100K users and 500 of them
> expire
> > each day, I’m going to pull the whole set of 100K down and filter client
> > side if I understand this right. Seems like a bad plan if so…
> >
> >
> >
> > Thanks,
> >
> > Brian Desmond
> >
> > brian@briandesmond.com
> >
> >
> >
> > c – 312.731.3132
> >
> >
> >
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris Dent
> > Sent: Wednesday, August 18, 2010 1:20 PM
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] Password Reminders - Powershell Script
> >
> >
> >
> > In a way. Quest's CmdLets will give you the easiest interface (in my
> > opinion). This shows when they were last set.
> >
> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
> PwdLastSet
> >
> > And you can have it figure out when it's due to change with:
> >
> > $MaxAge = 120
> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
> PwdLastSet,
> > `
> > @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
> >
> > You can pull the Maximum Age from AD as well to avoid hard-coding it.
> >
> > Chris
> >
> > On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
> >
> > Thanks for the two resources. Is there a way to quickly use Powershell
> to
> > just query AD for account expiration dates?
> >
> > Thanks,
> > Eric
> >
> >
> >
> > On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE)
> > <pbergson@allete.com> wrote:
> >
> > Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong)
> has
> > one on his blog. I don’t know if it is in Powershell or not. I keep
> > threatening to rewrite ours to Powershell from Perl Script but just have
> to
> > much going on. I would post it, but I am not the author.
> >
> >
> >
> >
> http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
> >
> >
> >
> > Thanks
> >
> > Paul
> > pbergson@allete.com (e-mail)
> > pbbergs@msn.com (IM)
> >
> >
> >
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
> > Sent: Wednesday, August 18, 2010 12:34 PM
> > To: activedir
> > Subject: [ActiveDir] Password Reminders - Powershell Script
> >
> >
> >
> > I am looking for a PS script or two that I can run across my domain to
> see
> > who's passwords are getting ready to expire. Then I'd like to build on
> that
> > so it can email the person with a reminder who is 10 or so days out. For
> > some reason users just don't see the reminder when they log in
> >
> > Thanks,
> > Eric
> >
> >
> >
> >
>
>
| | | |
| skradel
Posts:177
| | 08/18/2010 8:13 PM |
| Yup, figuring out password expiration is entirely different and more
complicated, especially if you have 2008 + FGPP.
At a minimum, password expiration notices would take into account the
default domain policy's password lifetime, the user's pwdLastSet, and
whether or not users' userAccountControl has the flag for password
never expires.
--Steve
On Wed, Aug 18, 2010 at 3:02 PM, Brandon Shell <tshell@gmail.com> wrote:
> FTR... AccountExpires is not the same as Password Expires. If you just want
> to see when the "Account" expires the Quest cmdlets have built in paramaters
> for that
>
> Get-QADUser -AccountExpiresBefore
> Get-QADUser -AccountExpiresAfter
>
> On Wed, Aug 18, 2010 at 2:40 PM, Steve Kradel <skradel@zetetic.net> wrote:
>>
>> accountExpires is an 8-byte integer, conforming to the Windows
>> Filetime format of 100ns intervals since January 1, 1601. (Wheeee!)
>> The values 0 and 0x7FFFFFFFFFFFFFFF are special, equivalent indicators
>> for "never expires."
>>
>> You can query AD for soon-expiring accounts thusly:
>>
>>
>> (&(objectCategory=person)(accountExpires>=longNumber1)(accountExpires<=longNumber2))
>>
>> ...where longNumber1 is today (or maybe yesterday) and longNumber2 is
>> a week from now. I think the "Hey Scripting Guy" column has an
>> article on building Filetime, and it's easy to get from
>> System.DateTime in .NET. I assume you can use DateTime in
>> Powershell... being a C# guy I find Powershell incredibly strange and
>> don't touch the stuff.
>>
>> My own approach is to have FIM sync a variety of user data to a SQL
>> database continually, with real datetime columns, and query that
>> instead.
>>
>> --Steve
>>
>> On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond <brian@briandesmond.com>
>> wrote:
>> > Isn’t this pretty inefficient? If I have 100K users and 500 of them
>> > expire
>> > each day, I’m going to pull the whole set of 100K down and filter client
>> > side if I understand this right. Seems like a bad plan if so…
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Brian Desmond
>> >
>> > brian@briandesmond.com
>> >
>> >
>> >
>> > c – 312.731.3132
>> >
>> >
>> >
>> > From: activedir-owner@mail.activedir.org
>> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris Dent
>> > Sent: Wednesday, August 18, 2010 1:20 PM
>> > To: activedir@mail.activedir.org
>> > Subject: Re: [ActiveDir] Password Reminders - Powershell Script
>> >
>> >
>> >
>> > In a way. Quest's CmdLets will give you the easiest interface (in my
>> > opinion). This shows when they were last set.
>> >
>> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
>> > PwdLastSet
>> >
>> > And you can have it figure out when it's due to change with:
>> >
>> > $MaxAge = 120
>> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
>> > PwdLastSet,
>> > `
>> > @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
>> >
>> > You can pull the Maximum Age from AD as well to avoid hard-coding it.
>> >
>> > Chris
>> >
>> > On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
>> >
>> > Thanks for the two resources. Is there a way to quickly use Powershell
>> > to
>> > just query AD for account expiration dates?
>> >
>> > Thanks,
>> > Eric
>> >
>> >
>> >
>> > On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE)
>> > <pbergson@allete.com> wrote:
>> >
>> > Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong)
>> > has
>> > one on his blog. I don’t know if it is in Powershell or not. I keep
>> > threatening to rewrite ours to Powershell from Perl Script but just have
>> > to
>> > much going on. I would post it, but I am not the author.
>> >
>> >
>> >
>> >
>> > http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e-mail-their-password-is-going-to-expire.aspx
>> >
>> >
>> >
>> > Thanks
>> >
>> > Paul
>> > pbergson@allete.com (e-mail)
>> > pbbergs@msn.com (IM)
>> >
>> >
>> >
>> > From: activedir-owner@mail.activedir.org
>> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
>> > Sent: Wednesday, August 18, 2010 12:34 PM
>> > To: activedir
>> > Subject: [ActiveDir] Password Reminders - Powershell Script
>> >
>> >
>> >
>> > I am looking for a PS script or two that I can run across my domain to
>> > see
>> > who's passwords are getting ready to expire. Then I'd like to build on
>> > that
>> > so it can email the person with a reminder who is 10 or so days out.
>> > For
>> > some reason users just don't see the reminder when they log in
>> >
>> > Thanks,
>> > Eric
>> >
>> >
>> >
>> >
>>
>
| | | |
| AlLilianstrom
Posts:39
| | 08/18/2010 8:15 PM |
| For the Perl fans - it's easy to build the numbers for accountExpires filters by using the Math::BigInt module. I've had a script in place for almost 7 years giving our users a 15 day countdown on password expiration.
al
--
Al Lilianstrom
CD/LSC/CSI/ADS
lilstrom@fnal.gov
> -----Original Message-----
> From: activedir-owner@mail.activedir.org [mailto:activedir-
> owner@mail.activedir.org] On Behalf Of Steve Kradel
> Sent: Wednesday, August 18, 2010 1:41 PM
> To: activedir@mail.activedir.org
> Subject: Re: [ActiveDir] Password Reminders - Powershell Script
>
> accountExpires is an 8-byte integer, conforming to the Windows
> Filetime format of 100ns intervals since January 1, 1601. (Wheeee!)
> The values 0 and 0x7FFFFFFFFFFFFFFF are special, equivalent indicators
> for "never expires."
>
> You can query AD for soon-expiring accounts thusly:
>
> (&(objectCategory=person)(accountExpires>=longNumber1)(accountExpires<=
> longNumber2))
>
> ...where longNumber1 is today (or maybe yesterday) and longNumber2 is
> a week from now. I think the "Hey Scripting Guy" column has an
> article on building Filetime, and it's easy to get from
> System.DateTime in .NET. I assume you can use DateTime in
> Powershell... being a C# guy I find Powershell incredibly strange and
> don't touch the stuff.
>
> My own approach is to have FIM sync a variety of user data to a SQL
> database continually, with real datetime columns, and query that
> instead.
>
> --Steve
>
> On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond <brian@briandesmond.com>
> wrote:
> > Isn't this pretty inefficient? If I have 100K users and 500 of them
> expire
> > each day, I'm going to pull the whole set of 100K down and filter
> client
> > side if I understand this right. Seems like a bad plan if so.
> >
> >
> >
> > Thanks,
> >
> > Brian Desmond
> >
> > brian@briandesmond.com
> >
> >
> >
> > c - 312.731.3132
> >
> >
> >
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris Dent
> > Sent: Wednesday, August 18, 2010 1:20 PM
> > To: activedir@mail.activedir.org
> > Subject: Re: [ActiveDir] Password Reminders - Powershell Script
> >
> >
> >
> > In a way. Quest's CmdLets will give you the easiest interface (in my
> > opinion). This shows when they were last set.
> >
> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
> PwdLastSet
> >
> > And you can have it figure out when it's due to change with:
> >
> > $MaxAge = 120
> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
> PwdLastSet,
> > `
> > @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
> >
> > You can pull the Maximum Age from AD as well to avoid hard-coding it.
> >
> > Chris
> >
> > On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
> >
> > Thanks for the two resources. Is there a way to quickly use
> Powershell to
> > just query AD for account expiration dates?
> >
> > Thanks,
> > Eric
> >
> >
> >
> > On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE)
> > <pbergson@allete.com> wrote:
> >
> > Jorge De Almida Pinto (Sorry Jorge I probably spelled your name
> wrong) has
> > one on his blog. I don't know if it is in Powershell or not. I keep
> > threatening to rewrite ours to Powershell from Perl Script but just
> have to
> > much going on. I would post it, but I am not the author.
> >
> >
> >
> > http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-
> users-by-e-mail-their-password-is-going-to-expire.aspx
> >
> >
> >
> > Thanks
> >
> > Paul
> > pbergson@allete.com (e-mail)
> > pbbergs@msn.com (IM)
> >
> >
> >
> > From: activedir-owner@mail.activedir.org
> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
> > Sent: Wednesday, August 18, 2010 12:34 PM
> > To: activedir
> > Subject: [ActiveDir] Password Reminders - Powershell Script
> >
> >
> >
> > I am looking for a PS script or two that I can run across my domain
> to see
> > who's passwords are getting ready to expire. Then I'd like to build
> on that
> > so it can email the person with a reminder who is 10 or so days out.
> For
> > some reason users just don't see the reminder when they log in
> >
> > Thanks,
> > Eric
> >
> >
> >
> >
| | | |
| art0514
Posts:3
| | 08/18/2010 8:29 PM |
| Here's a PowerShell function that will figure out password expiration from 2003 onward including FGPP. It requires KB968934 on at least one DC of a 2008R2 DC in the domain.
http://blogs.msdn.com/b/adpowershell/archive/2010/02/26/find-out-when-your-password-expires.aspx
-----Original Message-----
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Steve Kradel
Sent: Wednesday, August 18, 2010 2:12 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Password Reminders - Powershell Script
Yup, figuring out password expiration is entirely different and more complicated, especially if you have 2008 + FGPP.
At a minimum, password expiration notices would take into account the default domain policy's password lifetime, the user's pwdLastSet, and whether or not users' userAccountControl has the flag for password never expires.
--Steve
On Wed, Aug 18, 2010 at 3:02 PM, Brandon Shell <tshell@gmail.com> wrote:
> FTR... AccountExpires is not the same as Password Expires. If you just
> want to see when the "Account" expires the Quest cmdlets have built in
> paramaters for that
>
> Get-QADUser -AccountExpiresBefore
> Get-QADUser -AccountExpiresAfter
>
> On Wed, Aug 18, 2010 at 2:40 PM, Steve Kradel <skradel@zetetic.net> wrote:
>>
>> accountExpires is an 8-byte integer, conforming to the Windows
>> Filetime format of 100ns intervals since January 1, 1601. (Wheeee!)
>> The values 0 and 0x7FFFFFFFFFFFFFFF are special, equivalent
>> indicators for "never expires."
>>
>> You can query AD for soon-expiring accounts thusly:
>>
>>
>> (&(objectCategory=person)(accountExpires>=longNumber1)(accountExpires
>> <=longNumber2))
>>
>> ...where longNumber1 is today (or maybe yesterday) and longNumber2 is
>> a week from now. I think the "Hey Scripting Guy" column has an
>> article on building Filetime, and it's easy to get from
>> System.DateTime in .NET. I assume you can use DateTime in
>> Powershell... being a C# guy I find Powershell incredibly strange and
>> don't touch the stuff.
>>
>> My own approach is to have FIM sync a variety of user data to a SQL
>> database continually, with real datetime columns, and query that
>> instead.
>>
>> --Steve
>>
>> On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond
>> <brian@briandesmond.com>
>> wrote:
>> > Isn't this pretty inefficient? If I have 100K users and 500 of them
>> > expire each day, I'm going to pull the whole set of 100K down and
>> > filter client side if I understand this right. Seems like a bad
>> > plan if so...
>> >
>> >
>> >
>> > Thanks,
>> >
>> > Brian Desmond
>> >
>> > brian@briandesmond.com
>> >
>> >
>> >
>> > c - 312.731.3132
>> >
>> >
>> >
>> > From: activedir-owner@mail.activedir.org
>> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris Dent
>> > Sent: Wednesday, August 18, 2010 1:20 PM
>> > To: activedir@mail.activedir.org
>> > Subject: Re: [ActiveDir] Password Reminders - Powershell Script
>> >
>> >
>> >
>> > In a way. Quest's CmdLets will give you the easiest interface (in
>> > my opinion). This shows when they were last set.
>> >
>> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
>> > PwdLastSet
>> >
>> > And you can have it figure out when it's due to change with:
>> >
>> > $MaxAge = 120
>> > Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name,
>> > PwdLastSet, `
>> > @{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
>> >
>> > You can pull the Maximum Age from AD as well to avoid hard-coding it.
>> >
>> > Chris
>> >
>> > On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
>> >
>> > Thanks for the two resources. Is there a way to quickly use
>> > Powershell to just query AD for account expiration dates?
>> >
>> > Thanks,
>> > Eric
>> >
>> >
>> >
>> > On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE)
>> > <pbergson@allete.com> wrote:
>> >
>> > Jorge De Almida Pinto (Sorry Jorge I probably spelled your name
>> > wrong) has one on his blog. I don't know if it is in Powershell or
>> > not. I keep threatening to rewrite ours to Powershell from Perl
>> > Script but just have to much going on. I would post it, but I am
>> > not the author.
>> >
>> >
>> >
>> >
>> > http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-u
>> > sers-by-e-mail-their-password-is-going-to-expire.aspx
>> >
>> >
>> >
>> > Thanks
>> >
>> > Paul
>> > pbergson@allete.com (e-mail)
>> > pbbergs@msn.com (IM)
>> >
>> >
>> >
>> > From: activedir-owner@mail.activedir.org
>> > [mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
>> > Sent: Wednesday, August 18, 2010 12:34 PM
>> > To: activedir
>> > Subject: [ActiveDir] Password Reminders - Powershell Script
>> >
>> >
>> >
>> > I am looking for a PS script or two that I can run across my domain
>> > to see who's passwords are getting ready to expire. Then I'd like
>> > to build on that so it can email the person with a reminder who is
>> > 10 or so days out.
>> > For
>> > some reason users just don't see the reminder when they log in
>> >
>> > Thanks,
>> > Eric
>> >
>> >
>> >
>> >
>>
>
This e-mail message and any attached files transmitted with it, from Loomis Armored, Inc. is intended solely for the use of named recipient(s) to whom this e-mail message is addressed. It may be privileged and confidential, is provided without warranty, and does not offer to or create a contract or amendment to any existing contract. If you are not an intended recipient, you are notified that reviewing, disclosing, copying, distributing, or taking any action in reliance on the contents of this information is strictly prohibited. If you received this communication in error, please reply by e-mail and delete the original message. Thank you.
| | | |
| ZJORZ
Posts:363
| | 09/06/2010 6:38 PM |
| If you are you DFL=W2K8 you have to pull down all of them to FIRST determine
which PSO (and therefore which maxPwdAge) applies
Met vriendelijke groeten / Kind regards,
Jorge de Almeida Pinto
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Brandon Shell
Sent: Wednesday, August 18, 2010 20:31
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Password Reminders - Powershell Script
Agreed.
On Wed, Aug 18, 2010 at 2:29 PM, Brian Desmond <brian@briandesmond.com>
wrote:
Isn't this pretty inefficient? If I have 100K users and 500 of them expire
each day, I'm going to pull the whole set of 100K down and filter client
side if I understand this right. Seems like a bad plan if so.
Thanks,
Brian Desmond
brian@briandesmond.com
c - 312.731.3132
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Chris Dent
Sent: Wednesday, August 18, 2010 1:20 PM
To: activedir@mail.activedir.org
Subject: Re: [ActiveDir] Password Reminders - Powershell Script
In a way. Quest's CmdLets will give you the easiest interface (in my
opinion). This shows when they were last set.
Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet
And you can have it figure out when it's due to change with:
$MaxAge = 120
Get-QADUser -IncludedProperties PwdLastSet | Select-Object Name, PwdLastSet,
`
@{n='NextChange';e={ $_.PwdLastSet.AddDays($MaxAge) }}
You can pull the Maximum Age from AD as well to avoid hard-coding it.
Chris
On 18 August 2010 19:11, Eric <seag33k@gmail.com> wrote:
Thanks for the two resources. Is there a way to quickly use Powershell to
just query AD for account expiration dates?
Thanks,
Eric
On Wed, Aug 18, 2010 at 11:02 AM, Paul Bergson (ALLETE)
<pbergson@allete.com> wrote:
Jorge De Almida Pinto (Sorry Jorge I probably spelled your name wrong) has
one on his blog. I don't know if it is in Powershell or not. I keep
threatening to rewrite ours to Powershell from Perl Script but just have to
much going on. I would post it, but I am not the author.
http://blogs.dirteam.com/blogs/jorge/archive/2008/07/20/notifying-users-by-e
-mail-their-password-is-going-to-expire.aspx
Thanks
Paul
pbergson@allete.com (e-mail)
pbbergs@msn.com (IM)
From: activedir-owner@mail.activedir.org
[mailto:activedir-owner@mail.activedir.org] On Behalf Of Eric
Sent: Wednesday, August 18, 2010 12:34 PM
To: activedir
Subject: [ActiveDir] Password Reminders - Powershell Script
I am looking for a PS script or two that I can run across my domain to see
who's passwords are getting ready to expire. Then I'd like to build on that
so it can email the person with a reminder who is 10 or so days out. For
some reason users just don't see the reminder when they log in
Thanks,
Eric
| | | |
|
|