7:34 AM
Brian Seltzer
Anyway, the date when the computer account password was last set is stored in an AD attribute called pwdLastSet. It's stored as a large integer (Intt64) and represents the number of 100-nanosecond increments since midnight, Jan 1st, 1601, a huge number. The idea is to figure out how many days have elapsed between the stored date and today, giving the age of the password. I've shown you how to do this with Perl in the article: Find Old Computer Accounts using Perl.
Boy is it a heck of a lot easier to do in PowerShell! The big difference is that .Net handles the conversion from a large integer to a date in one call, and PowerShell has some date match functions that make it easy to compare the dates. There's a bunch of code in the Perl version just to figure out how many days have passed since Jan 1, 1601, including how many leap years and all that nonsense. PowerShell's New-TimeSpan cmdLet does that for you. Sweet.
This script searches for computer accounts in Active Directory, gets the pwdLastSet attribute, converts it to a date and calculates the difference, in days, between then and now. It then returns the name of the computer and the password age in days, if it's older than 60 days.
$domain = New-Object System.DirectoryServices.DirectoryEntry $searcher = New-Object System.DirectoryServices.DirectorySearcher $searcher.SearchRoot = $domain $searcher.PageSize = 100 $searcher.Filter = "(objectCategory=Computer)"
$proplist = ("name","pwdLastSet")
foreach ($i in $propList){$prop=$searcher.PropertiesToLoad.Add($i)}
$results = $searcher.FindAll()
foreach ($result in $results){
$pwdlastset=[Int64]($result.properties.Item("pwdlastset")[0])
$pwdAge=New-TimeSpan $([datetime]::FromFileTime([int64]::Parse($pwdlastset))) $(Get-Date)
if($pwdAge.days -gt 60){
"$($result.properties.Item("name"))`t$($pwdAge.days)"
}
}Related Posts:
- Backup DFS Namespaces Using PowerShell
- Translate Active Directory Name Formats Using PowerShell
- List Linux Users in Active Directory Using PowerShell
- Enable Trust for Delegation in Active Directory Using PowerShell
- TCP/IP Subnet Math with PowerShell - What AD Site is that Server in?
- List Sites and Subnets in Active Directory with PowerShell
- Find Disabled Users in Active Directory with PowerShell
- List Forest-wide Group Memberships with PowerShell
- Find Old Computer Accounts in AD with PowerShell
- List SPNs in Active Directory with PowerShell
- List Domain Controllers in Active Directory
Image icons used on this site are courtesy of Oxygen-icons.org
3 comments:
Hi Brian,
Thanks for sharing a nice techie on powershell to get informations....
Thanks,
<a href="http://techhowknow.com>Ganesan K</a>
Brian, thanks for the article. FYI, pwdlastset is only part of the picture. A computer could fail to set its password and still have some functionality. To be more thorough, you can check the following, pwdLastSet, badPasswordTime, lastLogonTimestamp.
It's true, a computer may not update its computer account password, you can disable it in the registry for example. You could check the age of the lastLogon attribute I suppose, maybe I'll write a post on how to do that. LastLogonTimeStamp won't always work, it's blank in my domain, and badPasswordTime records when the account tried to logon with a bad password, so that's not relevant.
Post a Comment