Mr. Roboto

Domain Password Report

Here's an AD administration script that takes advantage of PowerShell.

I've just finished my latest book, "Managing Active Directory with Windows PowerShell: TFM" (Sapien, 2008), and all I can think about is Active Directory. AD administration is likely a daily task for you, so I thought you might like a little assistance from Mr. Roboto and PowerShell. I used to develop my tools in VBScript, but Windows PowerShell is today's management paradigm, so why not take advantage of it?

I've taken a code sample from my book and expanded it into a practical utility. The PowerShell script is called Get-DomainPasswordReport. The script will create a report for all enabled user accounts with passwords and account information. The script doesn't use any third-party cmdlets or snap-ins, so you can use it immediately. This task could also be accomplished using the Quest Active Directory cmdlets, but I wanted to stick with out-of-the-box functionality. The only limitation is that the script requires a Windows 2003 or later AD domain. As always, please test this script in a non-production environment.

First, create an alias for the script in your PowerShell profile. The examples I'll show you in a moment use this alias.

PS C:\> Set-Alias gdpr 

The script uses ADSI and the System.DirectoryServices.DirectorySearcher class to retrieve user accounts and selected properties such as when an account was created, its e-mail address and when the password was last changed. I also calculated a few custom properties: the password age in days, and whether or not the password has expired. All of this information is passed to the PowerShell pipeline with a custom object for each user account. Here's an example:

Name: Roy G. Biv
DN                    : CN=Roy 
Description           : Company presi 
Email         : [email protected]
AccountCreated        : 2/24/2008 
11:41:44 AM
AccountModified       : 6/13/2008 
9:08:41 PM
LastLogon             : 6/22/2008 
8:56:21 AM
PasswordLastChanged   : 
5/12/2008 11:55:00 PM
PasswordAge           : 58
PasswordExpired       : False
PasswordNeverExpires  : True
PasswordChangeAllowed : True
BadPasswordTime       : 0

There are many ways to use this script. You may only want selected properties. You may want to save the information to a file. Or perhaps you'd like to send an e-mail to all users whose password is about to expire. All the examples I'm about to show you are one-liners that use the PowerShell pipeline.

The script's output is objects you can sort, filter, group or do just about anything you want with based on the object's properties. Suppose you want to find all user accounts configured with a non-expiring password:

PS C:\> gdpr | where {$_.Pass 

But maybe you only need a few properties for these objects:

PS C:\> gdpr | where {$_.Pass 
wordNeverExpires} | Select 

These examples will produce console output, but I assume you'll want to save the results to a file.

PS C:\> gdpr | sort LastLogon | 
word*| out-file AccountReport.txt

The Select-Object cmdlet permits wildcards in property names, so this expression will return all properties that begin with Account and Password.

Perhaps you'd like to export the information to a .CSV file so you can load it into Microsoft Excel for more reporting:

PS C:\> gdpr | where {$_.pass 
wordExpired} | Export-CSV 

This expression will export all objects and properties for accounts where the password has expired.

My goal here was to show you what you could do with this script and get you started in the right direction. Mix PowerShell with AD and you're sure to get dynamite results.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.


comments powered by Disqus