In today’s Active Directory Friday we touch the subject of security of Domain Administrator accounts. Although this should not be overlooked it is not uncommon for passwords to be unchanged for a long period of time.
To find the members of the Domain Admins group we can use following LDAP Filter:
1 | "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)" |
Then for each account found a PowerShell Custom Object is created with the following three properties:
- Samaccountname
- PasswordAge
- Account Enabled
So combing all these statements the complete code is as follows:
1 2 3 4 5 6 7 8 9 10 11 | $Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{ Filter = "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)" PageSize = 500 } $Searcher.FindAll() | ForEach-Object { New-Object -TypeName PSCustomObject -Property @{ samaccountname = $_.Properties.samaccountname -join '' pwdlastset = [datetime]::FromFileTime([int64]($_.Properties.pwdlastset -join '')) enabled = -not [boolean]([int64]($_.properties.useraccountcontrol -join '') -band 2) } } |
Hi Jaap
How are you doing, nice example.
For a moment I could not see what he -join ” was for, then I figured it out, to change Type to String so you can convert to [Int64] nice one 🙂 that is a very helpful tip when working with search results I also tried replacing -join ” with -as [string] which does the same job, which is how I figured out how you were using the -join ”
Thanks for a great post Ernie
Indeed the following all achieve the same:
Glad you liked the trick, it’s a good way of dealing with the AD search results, haven’t tested which method if the most efficient when dealing with. That is something I might explore in a future article.
I have to say thank you for this bit of code. For some reason when I’d bind to an AD User object and do a ‘memberOf’ it would only return 30 objects no matter how many objects it contained. Doing it this way seems to list all of the objects. Now I have to rewrite a few scripts, but at least I’ll be fairly certain they’re accurate.
Nice example but just wondering why you didn’t use native cmdlets
get-adgroupmember “domain admins” | get-aduser -properties * | ft samaccountname, passwordlastset, enabled
Because then I do not have a dependency on the Active Directory PowerShell module. The code in this article can be run on any system, even when management tools are not installed. I usually query Active Directory from my workstation with my normal user account, for that purpose using the type-accelerators is a great option.
I do agree that I should have included the Active Directory cmdlets in my article, usually I do that but in this article I forgot to add that.