In today’s Active Directory Friday we touch the subject of security of Domain Administrator accounts. Although this should not be overlooked it is not uncommon for passwords to be unchanged for a long period of time.
To find the members of the Domain Admins group we can use following LDAP Filter:
1 | "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)" |
Then for each account found a PowerShell Custom Object is created with the following three properties:
- Samaccountname
- PasswordAge
- Account Enabled
So combing all these statements the complete code is as follows:
1 2 3 4 5 6 7 8 9 10 11 | $Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{ Filter = "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)" PageSize = 500 } $Searcher.FindAll() | ForEach-Object { New-Object -TypeName PSCustomObject -Property @{ samaccountname = $_.Properties.samaccountname -join '' pwdlastset = [datetime]::FromFileTime([int64]($_.Properties.pwdlastset -join '')) enabled = -not [boolean]([int64]($_.properties.useraccountcontrol -join '') -band 2) } } |