I use this script to figure out what account have expired and or last password change/login date. This helps determine if account are abandoned or not. Great for large migration planning.
In summary, the script collects information about AD users, including their usernames, password last set dates, password expiration dates, days until password expiration, and account status (enabled or disabled). It then exports this information to a CSV file for further analysis or reporting.
Technical Details
The provided script is a PowerShell script that fetches information about Active Directory (AD) user accounts and exports some of their properties to a CSV file named “expiredpassandlogon2.csv” located in the “C:\temp\” directory. The script checks the password last set date and calculates the number of days remaining until the password expires. Additionally, it checks if the user account is enabled or disabled.
Let’s break down the script step by step:
- It retrieves a list of all AD users using the `Get-ADUser` cmdlet with a filter to select all users (`-filter *`). The script then uses the `Select-Object` cmdlet with the `-ExpandProperty` parameter to retrieve only the “SamAccountName” property (username) for each user. The list of usernames is stored in the variable `$username`.
- The script enters a `ForEach` loop, where it iterates through each username in the `$username` array. Each username is represented by the variable `$user`.
- Inside the loop, it gets the current date and time using the `Get-Date` cmdlet, and the result is stored in the variable `$now`.
- It then retrieves the “PasswordLastSet” property for the user by using the `Get-ADUser` cmdlet with the `-properties passwordlastset` parameter. The value of “PasswordLastSet” is stored in the variable `$passlastset`.
- The script calculates the password expiration date by adding 60 days to the “PasswordLastSet” date. The result is stored in the variable `$passexpirationdate`.
- It calculates the number of days until the password expires by subtracting the current date from the password expiration date (`$passexpirationdate – $now`). The number of days is then stored in the variable `$daystilexpire`.
- Next, it retrieves the “Enabled” property for the user (whether the account is enabled or disabled) using the `Get-ADUser` cmdlet with the `-Property Enabled` parameter. The value of “Enabled” is stored in the variable `$enable`.
- The script then constructs a string containing the username, account status (enabled/disabled), and the password last set date separated by commas. The string is appended to the “C:\temp\expiredpassandlogon2.csv” file using the `Out-file` cmdlet with the `-Append` parameter, which adds each user’s information to a new line in the CSV file.
The Script
$username = get-aduser -filter * | select -ExpandProperty samaccountname
foreach($user in $username){
$now = get-date
$passlastset = get-aduser $user -properties passwordlastset | select -ExpandProperty passwordlastset
$passexpirationdate = $passlastset.adddays(60)
$daystilexpire = $passexpirationdate – $now | select -ExpandProperty days
$enable= Get-ADUser $user -Property Enabled | select -ExpandProperty Enabled
$str1 = ($user+”,”+$enable+”,”+$passlastset) | Out-file -FilePath “C:\temp\expiredpassandlogon2.csv” -Append
}