Normally your password policies would effectively keep users changing their passwords in an acceptable period of time. Should you need to know how long it has been since members of a group has change their password, try out this code. You feed the cmdlet a comma separated list of security groups in your Active Directory environment. It will return when each member of the group last changed their password and how many days ago that change was.
You need access to the ActiveDirectory module for this code to work.
You need access to the ActiveDirectory module for this code to work.
Function Get-GroupPasswordDate
{
[cmdletbinding(HelpURI = "http://get-help-jason-yoder.blogspot.com/2012/12/get-grouppassworddate.html")]
Param (
$Group
)
# Import the required cmdlets from the ActiveDirectory module.
Import-Module ActiveDirectory -Cmdlet Get-ADGroupMember, Get-ADUser
# Cycle through each group sent to the cmdlet.
ForEach ($Item in $Group)
{
Try
{
Get-ADGroupMember -Identity $Item -ErrorAction Stop |
Get-ADUser -Properties PasswordLastSet |
Select-Object -Property @{Label="Group";Expression={$Item}},
Name, PasswordLastSet,
@{Label="NumOfDays";Expression={((Get-Date).`
Subtract($_.PasswordLastSet)).Days}}
}
Catch
{
}
}
<#
.SYNOPSIS
Returns password age information for a list of security groups.
.DESCRIPTION
Returns each user in a Security group and when they last changed their passwords.
.PARAMETER Group
Comma separate list of security groups who's members you need to evaluate for their password age. Any invalid groups will be ignored.
.EXAMPLE
Get-GroupPasswordDate -Group "IT", "IT Managers", "Domain Admins"
Group Name PasswordLastSet NumOfDays
----- ---- --------------- ---------
IT Amr Zaki 6/6/2012 6:05:26 PM 188
IT Ayca Yuksel 6/6/2012 6:05:26 PM 188
IT Steve Winfield 6/6/2012 6:05:26 PM 188
IT Maira Wenzel 6/6/2012 6:05:26 PM 188
IT Qiang Wang 6/6/2012 6:05:26 PM 188
IT Anne Wallace 6/6/2012 6:05:26 PM 188
#>
}
Comments