2

EDIT** I'm thinking of running a scheduled task at the end of every workday to retrieve all accounts who have never logged on and disabling their accounts. Please excuse any syntax errors. I may very well be fumbling here. Can anyone say if this solution will work?

get-aduser -f {-not ( lastlogontimestamp -like "*")} | Disable-ADAccount

Original Question **

I'm not a sysadmin persay, I'm more of a programmer, and new to active directory and powershell scripting. I've done scripting in bash and other languages so I can catch on quickly.

My current role(I'm new) has an industry standard to expire/ disable accounts if the first use password has not been utilized within 24 hours. I have done a search and found that AD does not support this feature, but learned that it may be possible through a script. There is a tight deadline from an audit and I must say we are a little desperate.

Any help would be appreciated, even just a background on possible ways to set the expiration time or identify accounts who have not changed the password yet.

Thank you very much

Jacksgrin
  • 23
  • 1
  • 5
  • 2
    If you have a legal requirement to do that with a tight deadline, why aren't you hiring an external consultant to help you with that? – Sven Sep 08 '14 at 14:44
  • I wouldn't say its a 'legal' requirement, but an industry requirement. that said, it holds weight. We're not hiring an external consultant most likely for budget purposes and because of the industry we are in, which is high security, bringing an external consultant on would be cumbersome. Additional contracts, privacy agreements, bringing them up to speed, along with getting it approved through corporate would be an enormous hassle. It would be faster if I could implement it myself. That said, I don't make the rules, unfortunately. I understand your logic. – Jacksgrin Sep 08 '14 at 15:20

4 Answers4

2

You can check the following properties to find whether or not the user account has logged in or changed password.

LastLogonDate PasswordLastSet

get-aduser -identity ACCOUNTNAME -properties LastLogonDate,PasswordLastSet
bentek
  • 2,235
  • 1
  • 15
  • 23
2

Yes, your one-liner should work. I modified your original command to filter for enabled accounts only.

Get-ADuser -f {-not ( lastlogontimestamp -like "*") -and (enabled -eq $true)} | Disable-ADAccount
bentek
  • 2,235
  • 1
  • 15
  • 23
  • 1
    Oh, and if you aren't sure of the implications of that command, add a `-Whatif` to the end (after Disable-ADAccount) – bentek Sep 09 '14 at 19:09
1

Active Directory doesn't have a way to set the password expiry on individual accounts. When it goes to expire passwords, it checks the account's Pwd-Last-Set attribute against the global Max-Pwd-Age setting.

If you're using some sort of scripted process to create user accounts, I would do the following:

  • Alter user creation script to append to a list of usernames and Pwd-Last-Set timestamps.
  • Create a scheduled task which iterates along the list. If the Pwd-Last-Set timestamp on the account is the same as in the file (i.e. they have not changed passwords) and the timestamp in the file is older than 24 hours, set the Pwd-Last-Set attribute on the account to 0 and unset the don't expire flag if needed. This will immediately expire the password.
Yozomiri
  • 181
  • 4
  • For simplicity's sake, Is there a way to simply check if the password has never been changed? That way, I could run a scheduled task at the end of the day disabling any account with this property? – Jacksgrin Sep 08 '14 at 15:24
1

For simplicity's sake, Is there a way to simply check if the password has never been changed? That way, I could run a scheduled task at the end of the day disabling any account with this property? – Jacksgrin

I see this question is quite old, however, comparing the values of the Created or CreatedTimeStamp properties, along with the PasswordLastSet property should be a start.

get-aduser -identity [accountname] -properties Created,CreatedTimeStamp,PasswordLastSet,LastLogonDate

This should show you if the account password was ever changed since the account's inception.

FYI, I'm unable to comment or I would have replied to his comment.

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
g1zmotech
  • 23
  • 6