Friday, November 1, 2013

Powershell script to check domain password policy and user password status.

One of our domain users tried to change his password and he got the error message:
"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."

I tried to find the reason. Many people mentioned that the problem might be the setting of "Min password age", then I found this Power Shell scipt which can give me the setting of password policy and the last time user changed his password.

This is the original link:
http://www.blackops.ca/cms/blog/?p=295

This is the scipt code:
===========================

cls
$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]'')
While (!$result){
  $UserName = Read-Host 'Username to check : '
  if (!$UserName){
    Write-Host "No Username Entered"exit
  }
  $searcher.Filter = "(&(objectClass=User)(samAccountName=" + $username + "))"
  $result = $searcher.Findone()
}
# get domain password policy (max pw age)
$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$MPA = $Domain.maxPwdAge.Value
$MinPA = $Domain.minPwdAge.Value
# Convert to Int64 ticks (100-nanosecond intervals).
$lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA)
$lngMinPwdAge = $Domain.ConvertLargeIntegerToInt64($MinPA)
$MinPwdLength = $Domain.minPwdLength
$PwdHistory = $Domain.pwdHistoryLength
# Convert to days.
$MaxPwdAge = -$lngMaxPwdAge/(600000000 * 1440)
$MinPwdAge = -$lngMinPwdAge/(600000000 * 1440)
$lngPwdLastSet =$result.Properties.pwdlastset
$pwdLastSet = [datetime]::FromFileTime($lngPwdLastSet[0])
Write-Host $result.Path
Write-Host $result.Properties.cn " " $result.Properties.userprincipalname
Write-Host "Password Last Set : " $pwdLastSet
Write-Host "Max Password Age : " $MaxPwdAge
Write-Host "Min Password Age : " $MinPwdAge
Write-Host "Password History : " $PwdHistory
Write-Host "Min Password Length : " $MinPwdLength
if ($pwdLastSet -ge (Get-Date).AddDays(-$MinPwdAge)){
  Write-Host -ForegroundColor Red "Password can not be changed - Min Age"
}
if ($pwdLastSet -ge (Get-Date).AddDays($MaxPwdAge)){
  Write-Host -ForegroundColor Red "Password Expired"
}

========== end of scipt =====================
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)