Mr. Roboto

Domain Password Report

Here's an AD administration script that takes advantage of PowerShell.

I've just finished my latest book, "Managing Active Directory with Windows PowerShell: TFM" (Sapien, 2008), and all I can think about is Active Directory. AD administration is likely a daily task for you, so I thought you might like a little assistance from Mr. Roboto and PowerShell. I used to develop my tools in VBScript, but Windows PowerShell is today's management paradigm, so why not take advantage of it?

I've taken a code sample from my book and expanded it into a practical utility. The PowerShell script is called Get-DomainPasswordReport. The script will create a report for all enabled user accounts with passwords and account information. The script doesn't use any third-party cmdlets or snap-ins, so you can use it immediately. This task could also be accomplished using the Quest Active Directory cmdlets, but I wanted to stick with out-of-the-box functionality. The only limitation is that the script requires a Windows 2003 or later AD domain. As always, please test this script in a non-production environment.

First, create an alias for the script in your PowerShell profile. The examples I'll show you in a moment use this alias.

PS C:\> Set-Alias gdpr 

The script uses ADSI and the System.DirectoryServices.DirectorySearcher class to retrieve user accounts and selected properties such as when an account was created, its e-mail address and when the password was last changed. I also calculated a few custom properties: the password age in days, and whether or not the password has expired. All of this information is passed to the PowerShell pipeline with a custom object for each user account. Here's an example:

Name: Roy G. Biv
DN                    : CN=Roy 
Description           : Company presi 
Email         :
AccountCreated        : 2/24/2008 
11:41:44 AM
AccountModified       : 6/13/2008 
9:08:41 PM
LastLogon             : 6/22/2008 
8:56:21 AM
PasswordLastChanged   : 
5/12/2008 11:55:00 PM
PasswordAge           : 58
PasswordExpired       : False
PasswordNeverExpires  : True
PasswordChangeAllowed : True
BadPasswordTime       : 0

There are many ways to use this script. You may only want selected properties. You may want to save the information to a file. Or perhaps you'd like to send an e-mail to all users whose password is about to expire. All the examples I'm about to show you are one-liners that use the PowerShell pipeline.

The script's output is objects you can sort, filter, group or do just about anything you want with based on the object's properties. Suppose you want to find all user accounts configured with a non-expiring password:

PS C:\> gdpr | where {$_.Pass 

But maybe you only need a few properties for these objects:

PS C:\> gdpr | where {$_.Pass 
wordNeverExpires} | Select 

These examples will produce console output, but I assume you'll want to save the results to a file.

PS C:\> gdpr | sort LastLogon | 
word*| out-file AccountReport.txt

The Select-Object cmdlet permits wildcards in property names, so this expression will return all properties that begin with Account and Password.

Perhaps you'd like to export the information to a .CSV file so you can load it into Microsoft Excel for more reporting:

PS C:\> gdpr | where {$_.pass 
wordExpired} | Export-CSV 

This expression will export all objects and properties for accounts where the password has expired.

My goal here was to show you what you could do with this script and get you started in the right direction. Mix PowerShell with AD and you're sure to get dynamite results.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.


  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.