Tag Archives: PasswordAge

Active Directory Friday: List password information for Domain Administrators

In today’s Active Directory Friday we touch the subject of security of Domain Administrator accounts. Although this should not be overlooked it is not uncommon for passwords to be unchanged for a long period of time.

To find the members of the Domain Admins group we can use following LDAP Filter:

1
"(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"

Then for each account found a PowerShell Custom Object is created with the following three properties:

  • Samaccountname
  • PasswordAge
  • Account Enabled

So combing all these statements the complete code is as follows:

1
2
3
4
5
6
7
8
9
10
11
$Searcher = New-Object DirectoryServices.DirectorySearcher -Property @{
    Filter = "(memberof=CN=Domain Admins,CN=Users,DC=jaapbrasser,DC=com)"
    PageSize = 500
}
$Searcher.FindAll() | ForEach-Object {
    New-Object -TypeName PSCustomObject -Property @{
        samaccountname = $_.Properties.samaccountname -join ''
        pwdlastset = [datetime]::FromFileTime([int64]($_.Properties.pwdlastset -join ''))
        enabled = -not [boolean]([int64]($_.properties.useraccountcontrol -join '') -band 2)
    }
}
Share