I need to get the last password change for a group of account in an Active Directory security group, and I feel like this is something PowerShell should be good at.
Right now, I'm already stuck at how to read the pwdLastSet attribute from the AD account I'm looking at. Even running something simple like this:
[adsi] "LDAP://cn=user1,ou=Staff,ou=User Accounts,dc=ramalamadingdong,dc=net" | Format-List *
gives results for pwdLastSet that appear like this:
pwdLastSet : {System.__ComObject}
I feel like I'm go about this the wrong way, so what's the best way to query and then format the output (the value is based on the Windows Epoch and not very human readable) of the pwdLastSet attribute?
The inbuilt AD commandlets that come with Windows 7/Windows Server 2008 R2 can now do this simply enough. On Windows 7 from a Powershell prompt:
The "PasswordLastSet" atribute appears to be a translated version of the actual "pwdLastSet" attribute.
You can also do this without a snap-in. I tried this and it worked:
I also get a System.__ComObject for pwdLastSet if I have the user object set like this:
$user = [adsi] "LDAP://cn=user1,ou=Staff,ou=User Accounts,dc=ramalamadingdong,dc=net"
There should be a way to use [System.__ComObject].InvokeMember() and reflection to get that pwdLastSet value from the $user object, but I haven't been able to get it right. I never did figure it out, so I used the above example and moved on.
If you're going to be doing a lot of work with AD (or Exchange or SQL Server) you might want to get the snapin for it and use that.
There's an easier way.
The ADSI object has a method called ConvertLargeIntegerToInt64. Note that it's a method of the ADSI object and not the System.__Comobject that's returned by querying the value of a timestamp attibute, so $user.pwdLastSet.value.ConvertLargeIntegerToInt64() won't work. You need to invoke it as follows:
That will get you the LDAP timestamp, which needs to be converted to a readable date, as explained by Bratch above. This will work for any timestamp attribute value returned by the ADSI provider, and the ConvertLargeIntegerToInt64 method is (I believe) exposed by any object representing a directory entry.
Putting it all together, here is how you get the date when the password was last set:
Here is an easy way to display the AD Computers:
Install: http://www.quest.com/powershell/activeroles-server.aspx
open powershell
Run the following commands:
add-PSSnapin quest.activeroles.admanagement
Get-QADUser |ft displayname,PasswordLastSet
The first command loads the quest snapin you just downloaded. You don't need to do this if you use the shortcut to quest in your startmenu. The second command gets a list of all the and the users and the time there password was last changed.
Add the ConvertADSLargeInteger function to your script, you can get it here:
PowerShell: Convert Active Directory IADSLargeInteger to System.Int64
Here's how you would use it:
perhaps you should look at using the passwordLastChanged property. Look here for further info: http://www.microsoft.com/technet/scriptcenter/resources/qanda/aug06/hey0801.mspx