**Password Setting for DA-Accounts: A PowerShell Script** As a PowerShell enthusiast, you're probably aware of the importance of maintaining your Active Directory (AD) accounts. One crucial aspect is ensuring that passwords are updated regularly to maintain security. In this blog post, we'll explore a PowerShell script that helps with just that - checking and updating DA-account passwords. **Prerequisites** Before diving into the script, make sure you have: * PowerShell 3 or higher installed * Active Directory Domain Services (AD DS) installed and configured * A domain-joined machine to run the script from Here's what you'll need to check off your list:
**The Script** Now, let's take a closer look at the script itself. We'll break it down into logical sections to make it easier to understand.
$scriptpath = $MyInvocation.MyCommand.Path
$dir = Split-Path $scriptpath
#create log file
$date = get-date -Format "dd-MM-yy"
$logfile = "$dir\PWDLastset_$date.log"
if (!(test-path $logfile)) { new-item -Path $dir -name "PWDLastset_$date.log" -ItemType file -Force }
$now = get-date -Format "dd/MM/yy HH:mm:ss"
add-content -Path $logfile -Value "$($now) : Log file initialized`n"
#variables
$domain = Get-ADDomain | Select-Object -ExpandProperty DistinguishedName
$cutoff = (get-date).AddDays("-90")
$accounts = Get-aduser -Filter * -Properties * -Searchbase $domain | Where-Object { ($_.UserPrincipalName -like '*@go-ahead.com*') -and ($_.PasswordNeverExpires -eq $false) -and ($_.PasswordLastSet -lt $cutoff) -and ($_.Enabled -eq 'True') -and ($_.SamAccountName -notlike 'svc*') } | Select-Object SamAccountName, UserPrincipalName, Enabled, PasswordNeverExpires, PasswordLastSet | sort-object SamAccountName
$exclusions = "$dir\exclusions.txt"
#test for exclusions file
if (!(test-path $exclusions)) { New-item -Path $dir -name "exclusions.txt" -ItemType file -force }
$exclusions = get-content $exclusions
foreach ($user in $accounts) {
if (!($exclusions -contains $($user.SamAccountName))) {
Write-host "Processing $($user.SamAccountName)" -ForegroundColor Yellow
#Set-ADUser -Identity $user.SamAccountName -ChangePasswordAtLogon $true
$now = get-date -Format "dd/MM/yy HH:mm:ss"
add-content -Path $logfile -Value "$($now) : Last password set > 90 days for $($user.SamAccountName)"
Get-aduser -Identity $user.SamAccountName -Properties * | Select-Object SamAccountName, UserPrincipalName, PasswordNeverExpires, PasswordLastSet
}
else {
$now = get-date -Format "dd/MM/yy HH:mm:ss"
add-content -Path $logfile -Value "$($now) : $($user.SamAccountName) Excluded"
Write-host "$($user.SamAccountName) Excluded!" -ForegroundColor Magenta
}
}
$accounts | Format-Table -a -Wrap
$accounts.count
$now = get-date -Format "dd/MM/yy HH:mm:ss"
add-content -Path $logfile -Value "$($now) : Script run completed`n"
**How It Works** The script works by:
1. Creating a log file
The script starts by creating a log file in the same directory as the script, with a name based on the current date and time.
2. Defining variables
It then defines several variables: * `$domain`: The distinguished name of the Active Directory domain * `$cutoff`: The date 90 days ago * `$accounts`: A list of DA-account users that meet certain criteria (more on this later) * `$exclusions`: A file containing a list of excluded user names
3. Processing accounts
The script then loops through the list of DA-account users and checks if each user's password has been set within the last 90 days. If not, it outputs a message to the log file and displays a yellow message indicating that the password needs to be updated. **Key Code Snippets** Here are some key code snippets from the script:
$accounts = Get-aduser -Filter * -Properties * -Searchbase $domain | Where-Object { ($_.UserPrincipalName -like '*@go-ahead.com*') -and ($_.PasswordNeverExpires -eq $false) -and ($_.PasswordLastSet -lt $cutoff) -and ($_.Enabled -eq 'True') -and ($_.SamAccountName -notlike 'svc*') } | Select-Object SamAccountName, UserPrincipalName, Enabled, PasswordNeverExpires, PasswordLastSet | sort-object SamAccountName
This code snippet uses the `Get-aduser` cmdlet to retrieve a list of DA-account users that meet certain criteria: * The user's UPN (User Principal Name) contains "@go-ahead.com" * The password never expires * The password was set more than 90 days ago * The account is enabled * The SamAccountName does not contain "svc" **Usage Examples** To use this script, simply run it from a domain-joined machine with PowerShell 3 or higher installed. Make sure to update the `$scriptpath` variable to reflect the path where you want to save the log file. **Conclusion** In this blog post, we explored a PowerShell script that helps with password setting for DA-account users. The script creates a log file and processes accounts based on certain criteria, outputting messages to the log file and displaying yellow or magenta messages depending on the outcome. We also highlighted some key code snippets from the script. **GitHub Link** You can find the full script at: