Short Story about issue: -
Everyone might be already aware that we can get the basic information user attribute information using "net user" command,
for example : Net User /dom mnatarajan
Which give useful information like when password last set, when it's expiring and when the password can be changeable all based on the password policy applied.
I came across an issue that when I query similar information for an user where the specific "Fine-Grained Password policy" is applied, the native tool gives me the information for the "Default domain password policy" instead of FPP policy calculated information.
Solution: -
To get the password expire date, i have to get few details of user and process to check whether FPP is applied or default password policy is applied and then calculate the password expire date for an user.
PS Script Detail: -
# Identify the Next possible password expire date for user
# Global Parameter defining, you can also execute script like below example
# Example: .\Calc_User_passwordExpiry_Date.ps1 -inputuser 'mnatarajan'
# Created by Murugan Natarajan /DXC
# Mail address: mnatarajan24@dxc.com
param(
$Inputuser = 'mnatarajan'
)
# Validate Simple check for user existance in domain, if does not exist, EXIT the script.
If ((Get-Aduser $inputuser) -eq $null){
Write-Output "$Inputuser does exist in default domain, validate user name in input"
EXIT
}
# Check if user has FPP setup
$fppcheck= Get-ADUserResultantPasswordPolicy $Inputuser
# Calling user Password last set attribute
$passlastset= Get-ADUser $Inputuser -pr passwordlastset | select -ExpandProperty passwordlastset
# If User is not applied with FPP, then take value of default user password to variable and compare with user last password set time
If($fppcheck -eq $null) {
$DefaultCheck= Get-ADDefaultDomainPasswordPolicy
$collectMaxpassage= $DefaultCheck.MaxPasswordAge.Days
$DefaultUserPassExpireson = $passlastset.AddDays($collectMaxpassage)
Write-Output "Password Expires for $Inputuser on $DefaultUserPassExpireson (Default Domain Password Policy)"
}
# If FPP is applied for the given user, then taken info from FPP and process with last password set time
else {
$Fppmaxpassage= $fppcheck.MaxPasswordAge.Days
$FppuserPassExpire= $passlastset.AddDays($Fppmaxpassage)
$Fppname = $Fppcheck.name
Write-Output "Password Expires for $Inputuser on $FppuserPassExpire _FPP-Applied $Fppname"
}
Everyone might be already aware that we can get the basic information user attribute information using "net user" command,
for example : Net User /dom mnatarajan
Which give useful information like when password last set, when it's expiring and when the password can be changeable all based on the password policy applied.
I came across an issue that when I query similar information for an user where the specific "Fine-Grained Password policy" is applied, the native tool gives me the information for the "Default domain password policy" instead of FPP policy calculated information.
Solution: -
To get the password expire date, i have to get few details of user and process to check whether FPP is applied or default password policy is applied and then calculate the password expire date for an user.
PS Script Detail: -
# Identify the Next possible password expire date for user
# Global Parameter defining, you can also execute script like below example
# Example: .\Calc_User_passwordExpiry_Date.ps1 -inputuser 'mnatarajan'
# Created by Murugan Natarajan /DXC
# Mail address: mnatarajan24@dxc.com
param(
$Inputuser = 'mnatarajan'
)
# Validate Simple check for user existance in domain, if does not exist, EXIT the script.
If ((Get-Aduser $inputuser) -eq $null){
Write-Output "$Inputuser does exist in default domain, validate user name in input"
EXIT
}
# Check if user has FPP setup
$fppcheck= Get-ADUserResultantPasswordPolicy $Inputuser
# Calling user Password last set attribute
$passlastset= Get-ADUser $Inputuser -pr passwordlastset | select -ExpandProperty passwordlastset
# If User is not applied with FPP, then take value of default user password to variable and compare with user last password set time
If($fppcheck -eq $null) {
$DefaultCheck= Get-ADDefaultDomainPasswordPolicy
$collectMaxpassage= $DefaultCheck.MaxPasswordAge.Days
$DefaultUserPassExpireson = $passlastset.AddDays($collectMaxpassage)
Write-Output "Password Expires for $Inputuser on $DefaultUserPassExpireson (Default Domain Password Policy)"
}
# If FPP is applied for the given user, then taken info from FPP and process with last password set time
else {
$Fppmaxpassage= $fppcheck.MaxPasswordAge.Days
$FppuserPassExpire= $passlastset.AddDays($Fppmaxpassage)
$Fppname = $Fppcheck.name
Write-Output "Password Expires for $Inputuser on $FppuserPassExpire _FPP-Applied $Fppname"
}
No comments:
Post a Comment