The Get-AdUser cmdlet in PowerShell uses the PasswordLast or PwdLastSet attributes to get aduser accounts with a change password at next logon set in the Active Directory.
The Get-AdUser cmdlet contains attributes such as PasswordLastSet and PwdLastSet, if the value of either of these attributes is ‘0’, it means that the aduser account is set to change the password at the next logon.
In this article, we will discuss how to use Get-AdUser to get adusers having change passwords at next logon set in the Active Directory.
Get User Accounts having Change Password at Next Logon
The Get-AdUser cmdlet retrieves the information about user accounts in the active directory. It has PasswordLastSet and PwdLastSet attributes that store the information about the password last set for the user.
If PasswordLastSet or pwdLast attribute value is ‘0’, it means that the user will be asked to change the password at the next logon.
Get-ADUser -LDAPFilter "(pwdLastSet=0)" | Select SamAccountName,distinguishedName
In the above PowerShell script, the Get-AdUser cmdlet uses the LDAPFilter parameter to check if the pwdLastSet attribute value is equal to 0 and retrieves the user accounts information.
It uses the pipeline operator to pass the user accounts to the Select cmdlet to display user account SamAccountName and DistinguishedName for the aduser with change password at next logon.
The output of the above PowerShell script retrieves the user accounts information.
Retrieve the AdUser with Change Password At Next Logon
Use the Get-AdUser cmdlet with the Filter parameter to check if the PasswordLastSet or PwdLastSet attributes value is equal to 0.
Get-ADUser -Filter "PasswordLastSet -eq '0' -or PwdLastSet -eq 0" | Select SamAccountName,distinguishedName
In the above PowerShell script, the Get-AdUser cmdlet has a Filter parameter to check if the PasswordLast is equal to 0 or PwdLastSet is equal to 0 using the -eq operator and retrieves the user account with a change password at next logon.
The output of the above script retrieves the aduser accounts which need to change their password at the next logon.
PS C:\> Get-ADUser -Filter "PasswordLastSet -eq '0' -or PwdLastSet -eq 0" | Select SamAccountName,distinguishedName
SamAccountName distinguishedName
-------------- -----------------
Guest CN=Guest,CN=Users,DC=SHELLPRO,DC=LOCAL
Don CN=Don,CN=Users,DC=SHELLPRO,DC=LOCALCheck if the User Account is Set to Change Password at Next Logon
Use the Get-AdUser cmdlet to retrieve the aduser account information. It retrieves a number of properties like SamAccountName, DN, PasswordLastSet, and PwdLastSet.
Check the value of PasswordLastSet and PwdLast attributes, if either of the attribute value is equal to 0, it means the user will be asked to change the password at the next logon.
In the following PowerShell script, the Get-AdUser cmdlet retrieves the aduser “Don” account information and stored it in the $aduser variable.
It then checks if the PwdLastSet property for the aduser is equal to 0 and stores the result in the variable $changePasswordAtNextLogon.
If the $changePasswordAtNextLogon variable value is true, it will print the message as the ad user is set to change the password at the next logon.
# Retrieve the aduser account
$aduser = Get-AdUser -Identity Don -Properties *
# Check if PwdLastSet for aduser
$changePasswordAtNextLogon = $aduser.PwdLastSet -eq 0
# Output
if ($changePasswordAtNextLogon) {
Write-Host "Ad User 'Don' is set to change password at next logon."
}
else {
Write-Host "Ad User 'Don' is not set to change password at next logon."
}
Conclusion
I hope the above article on how to use the Get-AdUser cmdlet to find the aduser accounts set to change their password at next logon in the Active Directory is helpful to you.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.