unicodePwd attribute value via Powershell

  • 141 Views
  • Last Post 4 weeks ago
nidhin_ck posted this 11 November 2019

P {margin-top:0;margin-bottom:0;}

Hi,


Is there any way to get the value of the unicodePwd attribute via Powershell. I tried the below script. but it does not pull the value.


$properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain | `
Select-Object @{name="Properties";expression={$.maycontain+$.systemmaycontain}} | Select-Object -ExpandProperty Properties
Get-ADUser -Identity username -Properties $properties | fl $properties




I can get these details from below cmdlet. But I'm trying to get details via AD cmdlets


$userdn = "UserFQDN"
repadmin /showmeta $userdn | Select-String unicodepwd,pwdlastset





Thanks,

Nidhin.CK

Order By: Standard | Newest | Votes
bdesmond posted this 5 weeks ago

It’s only accessible via the APIs that DCs use to replicate with each other. Even then, the value is stored as a one-way hash.

 

Thanks,

Brian

 



 



 

show

nidhin_ck posted this 5 weeks ago

P {margin-top:0;margin-bottom:0;}











Thanks, Brian. I understand that this attribute holds the PWD info. But is there any way to get the last modified time of this attribute. The goal is to find if

service account owners are really updating the password or just updating the pwdlastset attribute value.








Regards,



Nidhin.CK









show

bdesmond posted this 5 weeks ago

Look at the replication metadata for the attribute.

 

Unless you delegate a service account owner the rights to write to pwdLastSet, what’s in the tweet doesn’t apply here…

 

Thanks,


Brian

 

show

joe posted this 5 weeks ago

I'm pretty certain that if you set pwdLastSet to -1, it will change set the actual value of the attribute to "now" which will also make it appear as if the password was changed when it wasn't. Once again, you need permissions to do this. It is a slightly different way to do this than the method Sean described in his post.
Joe K.


show

ZJORZ posted this 5 weeks ago

To see if the user is changing/resetting (sspr) the password, check the pwdLastset attribute

Regular users do not have the permissions to check “change pwd at next logon”

 

For 100% certainty check the metadata of the unicodepwd attribute on the obect

 

Met Vriendelijke Groeten / Cumprimentos / Kind Regards,

Jorge de Almeida Pinto

 

MVP Enterprise Mobility And Security | MCP/MCSE/MCITP/exMCT

MVP Profile

| Blog

| Facebook

| Twitter

 

Description: Description: Description: Description: Think Green

 

show

gazzadownunder posted this 5 weeks ago

Take a look at https://NetTools.net/troubleshoot-account-lockouts, while the article is about account lockouts, NetTools will display the details on when the password was last set for the selected account.  
The Last Logon Time, will also display the pwdlastset meta data for multiple accounts, you just need to paste a list of samaccountnames into the right pane and click go.
Gary.
Sent from Yahoo7 Mail on Android
On Tue, 12 Nov 2019 at 6:03, Brian Desmond<brian@xxxxxxxxxxxxxxxx> wrote: #yiv6955893550 #yiv6955893550 --



filtered #yiv6955893550 {panose-1:2 4 5 3 5 4 6 3 2 4;}

_filtered #yiv6955893550 {font-family:Calibri;panose-1:2 15 5 2 2 2 4 3 2 4;}

_filtered #yiv6955893550 {panose-1:2 15 3 2 2 2 4 3 2 4;}

_filtered #yiv6955893550 {font-family:inherit;panose-1:0 0 0 0 0 0 0 0 0 0;}

#yiv6955893550

#yiv6955893550 p.yiv6955893550MsoNormal, #yiv6955893550 li.yiv6955893550MsoNormal, #yiv6955893550 div.yiv6955893550MsoNormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv6955893550 a:link, #yiv6955893550 span.yiv6955893550MsoHyperlink

{color:#0563C1;text-decoration:underline;}

#yiv6955893550 a:visited, #yiv6955893550 span.yiv6955893550MsoHyperlinkFollowed

{color:#954F72;text-decoration:underline;}

#yiv6955893550 p.yiv6955893550msonormal0, #yiv6955893550 li.yiv6955893550msonormal0, #yiv6955893550 div.yiv6955893550msonormal0

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv6955893550 p.yiv6955893550xmsonormal, #yiv6955893550 li.yiv6955893550xmsonormal, #yiv6955893550 div.yiv6955893550xmsonormal

{margin:0in;margin-bottom:.0001pt;font-size:11.0pt;font-family:sans-serif;}

#yiv6955893550 span.yiv6955893550EmailStyle21

{font-family:sans-serif;color:windowtext;}

#yiv6955893550 .yiv6955893550MsoChpDefault

{font-size:10.0pt;}

_filtered #yiv6955893550 {margin:1.0in 1.0in 1.0in 1.0in;}

#yiv6955893550 div.yiv6955893550WordSection1

{}

#yiv6955893550



Look at the replication metadata for the attribute.

 

Unless you delegate a service account owner the rights to write to pwdLastSet, what’s in the tweet doesn’t apply here…

 

Thanks,


Brian

 

show

nidhin_ck posted this 5 weeks ago

P {margin-top:0;margin-bottom:0;}







>From the tweet, it is clear that we need to check the metadata of the user object to compare the values of unicodePwd attribute with pwdlastset attribute. I was looking for a way to get these details without using repadmin showmetadata. Looks like it is not

possible. I will follow the repadmin /showmeta methord












Regards,






Nidhin.KC




show

gazzadownunder posted this 5 weeks ago

Sending again, as it didn't seem to make it to the mail list the first time.
Take a look at https://NetTools.net/troubleshoot-account-lockouts, while the article is about account lockouts, NetTools will display the details on when the password was last set, including the meta data for the unicodepwd, for the selected account.  
Gary.#yiv5466081667 P {margin-top:0;margin-bottom:0;}

nidhin_ck posted this 4 weeks ago

P {margin-top:0;margin-bottom:0;}













I found a way to get the results using PowerShell. We can make use of Get-ADReplicationAttributeMetadata cmdlet




















Regards,



Nidhin.CK









show

Close