Mr. Roboto

Domain Password Report

Here's an AD administration script that takes advantage of PowerShell.

I've just finished my latest book, "Managing Active Directory with Windows PowerShell: TFM" (Sapien, 2008), and all I can think about is Active Directory. AD administration is likely a daily task for you, so I thought you might like a little assistance from Mr. Roboto and PowerShell. I used to develop my tools in VBScript, but Windows PowerShell is today's management paradigm, so why not take advantage of it?

I've taken a code sample from my book and expanded it into a practical utility. The PowerShell script is called Get-DomainPasswordReport. The script will create a report for all enabled user accounts with passwords and account information. The script doesn't use any third-party cmdlets or snap-ins, so you can use it immediately. This task could also be accomplished using the Quest Active Directory cmdlets, but I wanted to stick with out-of-the-box functionality. The only limitation is that the script requires a Windows 2003 or later AD domain. As always, please test this script in a non-production environment.

First, create an alias for the script in your PowerShell profile. The examples I'll show you in a moment use this alias.

PS C:\> Set-Alias gdpr 

The script uses ADSI and the System.DirectoryServices.DirectorySearcher class to retrieve user accounts and selected properties such as when an account was created, its e-mail address and when the password was last changed. I also calculated a few custom properties: the password age in days, and whether or not the password has expired. All of this information is passed to the PowerShell pipeline with a custom object for each user account. Here's an example:

Name: Roy G. Biv
DN                    : CN=Roy 
Description           : Company presi 
Email         : [email protected]
AccountCreated        : 2/24/2008 
11:41:44 AM
AccountModified       : 6/13/2008 
9:08:41 PM
LastLogon             : 6/22/2008 
8:56:21 AM
PasswordLastChanged   : 
5/12/2008 11:55:00 PM
PasswordAge           : 58
PasswordExpired       : False
PasswordNeverExpires  : True
PasswordChangeAllowed : True
BadPasswordTime       : 0

There are many ways to use this script. You may only want selected properties. You may want to save the information to a file. Or perhaps you'd like to send an e-mail to all users whose password is about to expire. All the examples I'm about to show you are one-liners that use the PowerShell pipeline.

The script's output is objects you can sort, filter, group or do just about anything you want with based on the object's properties. Suppose you want to find all user accounts configured with a non-expiring password:

PS C:\> gdpr | where {$_.Pass 

But maybe you only need a few properties for these objects:

PS C:\> gdpr | where {$_.Pass 
wordNeverExpires} | Select 

These examples will produce console output, but I assume you'll want to save the results to a file.

PS C:\> gdpr | sort LastLogon | 
word*| out-file AccountReport.txt

The Select-Object cmdlet permits wildcards in property names, so this expression will return all properties that begin with Account and Password.

Perhaps you'd like to export the information to a .CSV file so you can load it into Microsoft Excel for more reporting:

PS C:\> gdpr | where {$_.pass 
wordExpired} | Export-CSV 

This expression will export all objects and properties for accounts where the password has expired.

My goal here was to show you what you could do with this script and get you started in the right direction. Mix PowerShell with AD and you're sure to get dynamite results.

About the Author

Jeffery Hicks is an IT veteran with over 25 years of experience, much of it spent as an IT infrastructure consultant specializing in Microsoft server technologies with an emphasis in automation and efficiency. He is a multi-year recipient of the Microsoft MVP Award in Windows PowerShell. He works today as an independent author, trainer and consultant. Jeff has written for numerous online sites and print publications, is a contributing editor at, and a frequent speaker at technology conferences and user groups.


  • Microsoft Uniting OneDrive and SharePoint Admin Portals Next Month

    Microsoft is converging its OneDrive and SharePoint Admin Center management portals, with a consolidated portal expected to arrive for Microsoft 365 subscribers "through February."

  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

comments powered by Disqus