Data Centers

Get password reset info for users with Windows PowerShell script

Derek Schauland illustrates how writing your own PowerShell commands can help you with pesky tasks.

I have to admit, I have been quite fascinated with PowerShell lately, and though I am by no means extremely good at it, I have managed to put together some useful scripting.. While learning PowerShell, I found a few problems to solve, one of which is how to determine when a user last changed his password and the number of days until the password needs to be changed again. You may or may not find this particular script useful, but it does illustrate the kind of customizing you can do with PowerShell to perform tasks of your own choosing.

Note: Using this function assumes there are accounts whose passwords expire, although it does report accounts found that have non-expiring passwords as well. Requirement: You will need to import the Active Directory Module into your PowerShell session by running import-module activedirectory for this function to work properly.

Getting started

The problem I had started when a co-worker asked about when a user account password was reset. Active Directory doesn't exactly put this information out there for you to see, which is typically a good thing. This was a good opportunity to see if PowerShell could help.

Function, script, or interactive command line

While all of these methods will work and even use the same code, I figured this might be something I would reuse, so I opted to create a function to behave more like a cmdlet, which can also be loaded into a profile script (but that part is another post).

Function get-pwdset{
Param([parameter(Mandatory=$true)][string]$user)

In the code above, the function get-pwdset is defined with the required parameter $user defined as a string.

The next section of the function will define a variable to hold an Active Directory user object with specified properties for passwordneverexpires and passwordlastset.

$use = get-aduser $user -properties passwordlastset,passwordneverexpires

In the next section, I decided to check for accounts that have non-expiring passwords. This was to prevent errors when dealing with accounts that do not expire.

If($use.passwordneverexpires -eq $true)
{
 write-host $user "last set their password on " $use.passwordlastset  "this account has a non-expiring password" -foregroundcolor yellow
}

If the account passed to the function has a non-expiring password the last password set date is displayed and a message letting you know that the account has a non-expiring password in yellow.

Else
{
$til = (([datetime]::FromFileTime((get-aduser $user -properties "msDS-UserPasswordExpiryTimeComputed")."msDS-UserPasswordExpiryTimeComputed"))-(get-date)).days
if($til -lt "5")
{
 write-host $user "last set their password on " $use.passwordlastset "it will expire again in " $til " days" -foregroundcolor red
}
else
{
 write-host $user "last set their password on " $use.passwordlastset "it will expire again in " $til " days" -foregroundcolor green
}

This function allows you to enter the following get-pwdset juser to have Powershell check Active Directory to determine when the juser object last set its password and how many days there are until the password expires.  An example is shown below in figure A.

Figure A

The get-pwdset function running for user test (click to enlarge)

Hopefully this little function will come in handy for you if finding password expiration is a problem you need to solve.

About

Derek Schauland has been tinkering with Windows systems since 1997. He has supported Windows NT 4, worked phone support for an ISP, and is currently the IT Manager for a manufacturing company in Wisconsin.

13 comments
Crash84
Crash84

If you go to users and computers and select a user, then go into the file menu and select view and then check the advanced features, the next time you go into the properties thier will be an advanced account tab that will give you all the same info that the powershell script showed. You can also reset locked pwd's on domain controllers from there.

Derek Schauland
Derek Schauland

Palmetto_CharlieSpencer - I hear that... I was in that camp for a bit.. but without a four letter acronym, POSH, SCCM, etc is it really a product? There are lots of those coming out of Microsoft, sometimes without an acronym I tend to think it is merely an idea.

Derek Schauland
Derek Schauland

The earlier $user.passwordlastset typo appears to be fixed in the code above. Thanks to the editors for helping get this corrected.

Derek Schauland
Derek Schauland

Palmetto_CharlieSpencer - I am working on some additional powershell scripts and ideas around POSH.. seems this might be the new cowbell?

Derek Schauland
Derek Schauland

You are correct... I think was a typo when putting this together... the write-host command should reference $user to get the username and $use.passwordlastset to check the password details. thanks for finding that.

Craig_B
Craig_B

Here's a script I wrote some time ago called userinfo.ps1, that gets various information on a user account. It uses Quest AD Managment snapin. #Requires -version 2.0 #Requires -PsSnapIn Quest.ActiveRoles.ADManagement # Prompt for User Name and Get Data Write-Host $User = Read-Host "Enter User Account Name or User Name" $User = $User.toupper() cls $UI = Get-QADUser -Identity $User # Error Checking: Verify account exisits and only 1 match is found. If (($UI.WhenCreated -eq $NULL) -or ($UI.count -gt 0)) { Write-Host -ForegroundColor Red "User Data Error" Write-Host Write-Host "Please Verify Account Name" Write-Host EXIT 99 } # Display Results Write-Host Write-Host -ForegroundColor Cyan "User: $User " $UI.DisplayName $UI.LogonName Write-Host Write-Host -ForegroundColor White "ACCOUNT INFORMATION" # Check various Account/Password Flags - Display in Red if set and incremente $RedFlag. [int]$RedFlag = 0 If ($UI.AccountIsExpired -eq $TRUE) {$RedFlag++ Write-Host -ForegroundColor Red "Account Expired!"} If ($UI.AccountIsDisabled -eq $TRUE) {$RedFlag++ Write-Host -ForegroundColor Red "Account Disabled!"} If ($UI.AccountIsLockedOut -eq $TRUE) {$RedFlag++ Write-Host -ForegroundColor Red "Account Locked!"} # If RedFlag not set, display OK in Green If ($RedFlag -eq 0) {Write-Host -ForegroundColor Green "Account OK"} # If these flags set, show in color If ($UI.PasswordIsExpired -eq $TRUE) {Write-Host -ForegroundColor Red "Password Expired!"} If ($UI.PasswordNeverExpires -eq $TRUE) {Write-Host -ForegroundColor Magenta "Password Never Expires"} #Display AD Account Information Write-Host Write-host "Password:" $UI.PasswordStatus Write-host "Account Expires:" $UI.AccountExpires Write-host "Password Expires:" $UI.PasswordExpires Write-Host Write-host "Password Last Set:" $UI.PasswordLastSet Write-host "Last Logon:" $UI.LastLogonTimeStamp Write-Host "Change Password at Next Login:" $UI.UserMustChangePassword Write-Host Write-Host "Account Created:" $UI.WhenCreated Write-Host "Account Last Modified:" $UI.WhenChanged Write-Host Write-Host "Account DN:" $UI.DN Write-Host # Display Exchange Information Write-Host -ForegroundColor White "EXCHANGE INFORMATION" # Verify Exchange Account exists and display info if it does. If ($UI.EmailAddressPolicyEnabled -eq $true) { $Exchange = get-mailbox -Identity $UI.NTAccountName Write-Host "Email Address:" $Exchange.WindowsEmailAddress Write-Host "Email DB:" $Exchange.Database Write-Host "Hidden from GAL? " $Exchange.HiddenFromAddressListsEnabled Write-Host "Email Forwarded? " $Exchange.DeliverToMailboxAndForward Write-Host } # No Exchange Account found. Else { Write-Host "No Exchange Account Found" Write-Host } #Display Office Communicator/Lync Information Write-Host -ForegroundColor White "Lync INFORMATION" If ($UI["msrtcsip-UserEnabled"] -ne $null) { Write-Host "Lync Enabled:" $UI["msrtcsip-UserEnabled"] Write-Host "SIP Address:" $UI["msrtcsip-PrimaryUserAddress"] Write-Host } Else { Write-Host "No Lync Account Found" Write-Host } # Display Groups User is a MemberOf (all other pipes just help with formating the output) Write-Host -ForegroundColor White "GROUP INFORMATION:" $UI.MemberOf | get-qadgroup | sort name | select name | ft -HideTableHeaders

JackRIP
JackRIP

i think you have a small error at this script: at the last if statement when you write-host $user ... should be $use.passwordlastset instead of $user.passwordlastset.

CharlieSpencer
CharlieSpencer

I haven't heard the term before. Also, could you suggest where I could get a list of the names and parameters for AD object properties like 'passwordlastset' and 'passwordneverexpires'?

CharlieSpencer
CharlieSpencer

The only 'posh' I'm aware of is David Beckham's wife. I assume they're still together; I don't follow soccer or has-beens.

Editor's Picks