none
Using powershell to pull a report of users that have Password must be changed at next logon RRS feed

  • Question

  • Does anyone know a way to list users that have the box checked requiring them to change password at next log on.

    I need to pull anginst several criteria but one is user must chage password at next log on is checked.

    I think you can do it with quest PowerShell commandlets but we cant use those :(   

    Thanks in advance


    Lishron

    Thursday, August 13, 2015 5:13 PM

Answers

  • We have not idea what you are talking about.  This works exactly as it is supposed to.

    Get-ADUser -Filter {pwdLastSet -eq 0}|select name

    We use it all of the time. If it doesn't work for you then you have issues with AD or with your access to AD attributes.


    \_(ツ)_/

    • Marked as answer by Lishron Thursday, August 13, 2015 7:45 PM
    Thursday, August 13, 2015 7:04 PM

All replies

  • There is no need to be helpless.

    http://www.google.com/search?&q=powershell+find+user+must+change+password+at+next+logon


    -- Bill Stewart [Bill_Stewart]

    Thursday, August 13, 2015 5:22 PM
    Moderator
  • thanks but that is of 0 help.


    Lishron

    Thursday, August 13, 2015 5:33 PM
  • this is like the opposite of a forum i swear.  This is what ever the opposite of helpful is.

    I see banners to save technet and just why answer.

    "`nMicrosoft"Get-ADUser-Filter{pwdLastSet-eq0}|Format-TableName,DistinguishedName

    That of no help ran that. My question read it if you choose to "help" read the question.

     need to pull against several criteria but one is user must change password at next log on is checked.

    That will NOT tell you that at all.



    Lishron

    Thursday, August 13, 2015 5:53 PM
  • You need to try to read the whole page. You read the first line and gave up on both suggestions.  All methods are covered on that page. 

    \_(ツ)_/

    Thursday, August 13, 2015 6:33 PM
  • That works just fine for me.  Run it in Powershell ISE and it will load the AD module and list every user that has the Must Change password at next log on box checked.

    Did you try it?

    Thursday, August 13, 2015 6:35 PM
  • I did.

    I saw nothing i needed on it. Looked at other pages.  If i would find a answer ANYWHERE else would not be here talking to folks that are not helping.  Just ignore me if you don't know or choose to give the runaround.  


    I came to this Forum to ask what "IF POSSIBLE" should be a one liner 

    something like

    Get-ADUser -SearchBase "some base" -Filter * |Where-Object { ($_.usermustchangepassword -eq $true)}

    But that does not work.

    Instead i am learning about this thing called google and why this forum is irrelevant.

     


    Lishron

    Thursday, August 13, 2015 6:39 PM
  • this is like the opposite of a forum i swear.  This is what ever the opposite of helpful is.

    I see banners to save technet and just why answer.

    "`nMicrosoft"Get-ADUser-Filter{pwdLastSet-eq0}|Format-TableName,DistinguishedName

    That of no help ran that. My question read it if you choose to "help" read the question.

     need to pull against several criteria but one is user must change password at next log on is checked.

    That will NOT tell you that at all.



    Lishron

    That will absolutely tell you that.  Pick a user. Test the check and watch the user come and go from the results.


    \_(ツ)_/

    Thursday, August 13, 2015 6:39 PM
  • I did.

    I saw nothing i needed on it. Looked at other pages.  If i would find a answer ANYWHERE else would not be here talking to folks that are not helping.  Just ignore me if you don't know or choose to give the runaround.  


    I came to this Forum to ask what "IF POSSIBLE" should be a one liner 

    something like

    Get-ADUser -SearchBase "some base" -Filter * |Where-Object { ($_.usermustchangepassword -eq $true)}

    But that does not work.

    Instead i am learning about this thing called google and why this forum is irrelevant.

     


    Lishron


    There is no such property as that.

    \_(ツ)_/

    Thursday, August 13, 2015 6:40 PM
  • $_.usermustchangepassword

    This is a Quest only property.  You said you can't use Quest.


    \_(ツ)_/

    Thursday, August 13, 2015 6:44 PM
  • 'There is no such property as that.'

    that is 100% correct.

    Get-ADUser-Filter{pwdLastSet-eq0}|Format-TableName,DistinguishedName



    This is not correct

    I  ran this report and ran it again.  One of the users here to prove point set a account with a user account with a password did it enable that flag and just gave the user the password.  Never showed up on the report.  

    So i was asked to see if it is possible to pull a report on that flag.

    Sounds like through powershell may not able to do it.



    Lishron

    Thursday, August 13, 2015 6:53 PM
  • We have not idea what you are talking about.  This works exactly as it is supposed to.

    Get-ADUser -Filter {pwdLastSet -eq 0}|select name

    We use it all of the time. If it doesn't work for you then you have issues with AD or with your access to AD attributes.


    \_(ツ)_/

    • Marked as answer by Lishron Thursday, August 13, 2015 7:45 PM
    Thursday, August 13, 2015 7:04 PM
  • We have not idea what you are talking about.  This works exactly as it is supposed to.

    Get-ADUser -Filter {pwdLastSet -eq 0}|select name

    We use it all of the time. If it doesn't work for you then you have issues with AD or with your access to AD attributes.


    \_(ツ)_/

    Thank you so much.

    That is really all i was looking for.

    Everything i read said i was right.

    We have several DC's with sometimes replication taking some time and I think that is playing a role in the user that is trying to prove me wrong.

    That is 100% what i used as that portion of the script.

    Thank you very much.


    Lishron

    Thursday, August 13, 2015 7:45 PM
  • That is really funny.  Replication!  LOL!

    \_(ツ)_/

    Thursday, August 13, 2015 7:50 PM
  • That is really funny.  Replication!  LOL!

    \_(ツ)_/

    I am sorry i don't understand what you mean.

    I acknowledge you are super sharp so i may be  not sharp enough to pick up on what you are saying.


    Lishron

    PS we have 90+ DCs and 170 + sites


    • Edited by Lishron Thursday, August 13, 2015 7:56 PM
    Thursday, August 13, 2015 7:55 PM
  • Why would you use "replication" as a reason why this won't work?  What does this have to do with replication? 

    \_(ツ)_/

    Thursday, August 13, 2015 7:56 PM
  • PS we have 90+ DCs and 170 + sites

    Lishron

    Thursday, August 13, 2015 7:57 PM
  • It doesn't work like that.

    \_(ツ)_/

    Thursday, August 13, 2015 7:58 PM
  • It doesn't work like that.

    \_(ツ)_/

    Well you are sharp and i am sharp enough to know not to try to match you cause i wont but each location has their own DC to control logons ETC.  due to the large number of users we have replication manually set to every 40 minutes.  We make a change or a off site location does and it is not intimidate in the information we query in AD and has caused issues.

    We can change our DC or use repadmin but it COULD play a role in this as it has other issues.


    Lishron

    Thursday, August 13, 2015 8:02 PM
  • It is not replicated.  It is direct write by broadcast.  Certain critical values are sent to other DCs immediately so as to enforce security.

    Some time we need to debug our selves as well as the system.  This is a good chance to back up and see why you did not get it to work the first time.  I find it hard to believe that no users sin any of your domains have passwords that have not been reset.

    There is no reason to set replication to a longer value if you have a stable set of domains.  I cannot believe you have one domain, 70 DCs and  120 sites.  It seems kind of inefficient and hard to manage.  Don't get me wrong. I am not saying is sis not possible only that it seems odd.

    The nearest DC will handle your request.  This is almost always the case.  Only if you choose a remote DC to set this value then poll a local DC will you see a short delay.  Maybe 30 seconds at most.

    No.  It is more likely you flubbed something earlier.  I nearly always debug myself when this happens.  I ask, "Why did that not work for me?"  I then go back and try and retrace my steps.  It is always an enlightening exercise.

    Good luck.


    \_(ツ)_/


    • Edited by jrv Thursday, August 13, 2015 8:15 PM
    Thursday, August 13, 2015 8:15 PM
  • I think you mis read.

    It found many many that on the list a couple 1000.

    It missed 1 or two that is what started this. 

    But thank you

    We are a system and we have well over 100,000 thousand long on and off at almost the same time throughout the day so the rep times had to be adjusted.

    Thanks again


    Lishron

    Thursday, August 13, 2015 9:48 PM