Query AD disabled users OU for password expiration date. RRS feed

  • Question

  • Hello,

    I have a script that queries AD (Scheduled Task) and sends a password expiration report for my users OU. Works great and maybe we got it from here. :o) I would like to include/query another OU (OtherUsers) with my disabled accounts in it. These are shared user mailboxes, and various accounts. All are disabled. We had them set to Password never expire, but with new security concerns from HQ we have removed the Password never expires check. I am not a scripter by any means and have a limited understanding of what's going on in scripts. I do have AD info free edition, but I would like to automate the process. Could someone help me so I can query this OU and get a report for these disabled users password expiration dates? I attempted to alter my current one to no avail.  Below is the current PS script I use.

    Thank you in advance.

    Param (
     [string]$Path = "c:\PasswordExpireReports",
     [string]$SearchBase = "OU=Users,OU=Here,OU=Hospitals,DC=Here,DC=cc",
     [int]$Age = 5,
     [string]$From = "Our-Alert@Donotreply.com",
     [string]$To = "me@here.org",
     [string]$SMTPServer = "smtp.here.cc"
    Import-Module ActiveDirectory
    $Result = @()

    #region Determine MaxPasswordAge
    #Determine MaxPasswordAge
    $maxPasswordAgeTimeSpan = $null
    $dfl = (get-addomain).DomainMode
    $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
    If ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0)
    { Write-Host "MaxPasswordAge is not set for the domain or is set to zero!"
     Write-Host "So no password expiration's possible."

    $Users = Get-ADUser -Filter {enabled -eq $true} -SearchBase $SearchBase -SearchScope Subtree -Properties GivenName,sn,PasswordExpired,PasswordLastSet,PasswordneverExpires,LastLogonDate
    ForEach ($User in $Users)
    { If ($User.PasswordNeverExpires -or $User.PasswordLastSet -eq $null)
     { Continue
     If ($dfl -ge 3)
     { ## Greater than Windows2008 domain functional level
      $accountFGPP = $null
      $accountFGPP = Get-ADUserResultantPasswordPolicy $User
         If ($accountFGPP -ne $null)
      { $ResultPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge
      { $ResultPasswordAgeTimeSpan = $maxPasswordAgeTimeSpan
     { $ResultPasswordAgeTimeSpan = $maxPasswordAgeTimeSpan
     $Expiration = $User.PasswordLastSet + $ResultPasswordAgeTimeSpan
     If ((New-TimeSpan -Start (Get-Date) -End $Expiration).Days -le $Age)
     { $Result += New-Object PSObject -Property @{
       'Last Name' = $User.sn
       'First Name' = $User.GivenName
       UserName = $User.SamAccountName
       'Expiration Date' = $Expiration
       'Last Logon Date' = $User.LastLogonDate
       State = If ($User.Enabled) { "" } Else { "Disabled" }
    $Result = $Result | Select 'Last Name','First Name',UserName,'Expiration Date','Last Logon Date' | Sort -descending 'Expiration Date','Last Name'

    #Produce a CSV
    $ExportDate = Get-Date -f "yyyy-MM-dd"
    $Result | Export-Csv $path\ExpiringReport-$ExportDate.csv -NoTypeInformation

    #Send HTML Email
    $Header = @"
    TABLE {border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}
    TH {border-width: 1px;padding: 3px;border-style: solid;border-color: black;background-color: #6495ED;}
    TD {border-width: 1px;padding: 3px;border-style: solid;border-color: black;}
    $splat = @{
     From = $From
     To = $To
     SMTPServer = $SMTPServer
     Subject = "Here Network Password Expiration Report"
    $Body = $Result | ConvertTo-Html -Head $Header | Out-String
    Send-MailMessage @splat -Body $Body -BodyAsHTML -Attachments $Path\ExpiringReport-$ExportDate.csv

    • Moved by Bill_Stewart Thursday, January 25, 2018 10:36 PM This is not "fix/debug/rewrite my script for me" forum
    Friday, November 17, 2017 9:12 PM

All replies