Active Directory Friday: List password information for Domain Administrators

In today’s Active Directory Friday we touch the subject of security of Domain Administrator accounts. Although this should not be overlooked it is not uncommon for passwords to be unchanged for a long period of time.

To find the members of the Domain Admins group we can use following LDAP Filter:

1
"(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"

Then for each account found a PowerShell Custom Object is created with the following three properties:

  • Samaccountname
  • PasswordAge
  • Account Enabled

So combing all these statements the complete code is as follows:

1
2
3
4
5
6
7
8
9
10
11
$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"
    PageSize = 500
}
$Searcher.FindAll() | ForEach-Object {
    New-Object -TypeName PSCustomObject -Property @{
        samaccountname = $_.Properties.samaccountname -join ''
        pwdlastset = [datetime]::FromFileTime([int64]($_.Properties.pwdlastset -join ''))
        enabled = -not [boolean]([int64]($_.properties.useraccountcontrol -join '') -band 2)
    }
}

5 thoughts on “Active Directory Friday: List password information for Domain Administrators

  1. Ernie

    Hi Jaap

    How are you doing, nice example.
    For a moment I could not see what he -join ” was for, then I figured it out, to change Type to String so you can convert to [Int64] nice one 🙂 that is a very helpful tip when working with search results I also tried replacing -join ” with -as [string] which does the same job, which is how I figured out how you were using the -join ”
    Thanks for a great post Ernie

    Reply
    1. Jaap Brasser Post author

      Indeed the following all achieve the same:
      -join ”
      -join -as [string]

      Glad you liked the trick, it’s a good way of dealing with the AD search results, haven’t tested which method if the most efficient when dealing with. That is something I might explore in a future article.

      Reply
  2. Justin

    I have to say thank you for this bit of code. For some reason when I’d bind to an AD User object and do a ‘memberOf’ it would only return 30 objects no matter how many objects it contained. Doing it this way seems to list all of the objects. Now I have to rewrite a few scripts, but at least I’ll be fairly certain they’re accurate.

    Reply
  3. TomN

    Nice example but just wondering why you didn’t use native cmdlets

    get-adgroupmember “domain admins” | get-aduser -properties * | ft samaccountname, passwordlastset, enabled

    Reply
    1. Jaap Brasser Post author

      Because then I do not have a dependency on the Active Directory PowerShell module. The code in this article can be run on any system, even when management tools are not installed. I usually query Active Directory from my workstation with my normal user account, for that purpose using the type-accelerators is a great option.

      I do agree that I should have included the Active Directory cmdlets in my article, usually I do that but in this article I forgot to add that.

      Reply

Leave a Reply

Your email address will not be published.