Mark Minasi's Tech Forum
Register Calendar Latest Topics Chat
 
 
 


Reply
  Author   Comment  
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #1 
I need to be able to check for AD user accounts for specific criteria and if either of any of those criteria are true, then reset/set password.

The logic is this:

Check all user accounts in AD

if user account is disabled
       or if user account has an expired password
                 or if user account is locked out 

then 
    set password to *******


0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 199
Reply with quote  #2 
Hi Melissa,

Search-ADAccount and Set-ADUser are your friends.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #3 
Thank you my friend.  This is very helpful.
0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #4 
When I run the following command to set the password I am prompted for an identity.  I need to it to reset the password for all users that meet the criteria. 

Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'December9' -force) 


The full script looks to reset the password for locked user accounts is:

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -SearchBase "DC=domain,DC=domain,DC=domain,DC=domain" -LockedOut |
Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'December9' -force)


Something else, I want to check for disabled account, locked accounts, and password expires accounts.  However, I am getting errors when I use -lockedout, -accountdisabled, and -passwordexpired in one line.  It works when I use the parameters.  However, I would like to see all 3 in one script.

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -SearchBase "DC=domain,DC=domain,DC=domain,DC=domain" -LockedOut -AccountDisabled -PasswordExpired |
Set-ADAccountPassword -NewPassword (ConvertTo-SecureString -AsPlainText -String "December9" -force)









0
meloao

New Friend (or an Old Friend who Built a New Account)
Registered:
Posts: 30
Reply with quote  #5 
Quote:
Originally Posted by meloao
When I run the following command to set the password I am prompted for an identity.  I need to it to reset the password for all users that meet the criteria. 

Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'December9' -force) 


The full script to reset the password for locked user accounts is:

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -SearchBase "DC=domain,DC=domain,DC=domain,DC=domain" -LockedOut |
Set-ADAccountPassword -Reset -NewPassword (ConvertTo-SecureString -AsPlainText 'December9' -force)


Something else, I want to check for disabled account, locked accounts, and password expires accounts.  However, I am getting errors when I use -lockedout, -accountdisabled, and -passwordexpired in one line.  It works when I use the parameters.  However, I would like to see all 3 in one script.

Import-Module ActiveDirectory
Search-ADAccount -UsersOnly -SearchBase "DC=domain,DC=domain,DC=domain,DC=domain" -LockedOut -AccountDisabled -PasswordExpired |
Set-ADAccountPassword -NewPassword (ConvertTo-SecureString -AsPlainText -String "December9" -force)









0
cj_berlin

Avatar / Picture

Senior Member
Registered:
Posts: 199
Reply with quote  #6 
Quote:
Originally Posted by meloao

Something else, I want to check for disabled account, locked accounts, and password expires accounts.  However, I am getting errors when I use -lockedout, -accountdisabled, and -passwordexpired in one line.  It works when I use the parameters.  However, I would like to see all 3 in one script.


As you can see in the TechNet article, those three are in different parameter sets so tough luck.

But you can concatenate the results before resetting passwords on them. Or you go old school and use LDAP filters as we all had done before the AD PowerShell module finally grew up.

I'm not 100% sure but where looking for AD objects with specific characteristics is concerned, the Quest AD Cmdlets might offer what you're looking for.

__________________
Evgenij Smirnov

My personal blog (German): http://www.it-pro-berlin.de/
My stuff on PSGallery: https://www.powershellgallery.com/profiles/it-pro-berlin.de/
0
Previous Topic | Next Topic
Print
Reply

Quick Navigation: