Get-ADUser-搜索过期的帐户.在命令中使用变量 [英] Get-ADUser - searching for expired account. Using variables in command
问题描述
我目前正在使用Powershell GUI脚本,以帮助我的团队更轻松地找到具有过期密码的帐户,禁用的帐户等,并将其输出为CSV.它几乎完全围绕" Get-ADUser "命令.到目前为止,几乎所有功能都可以正常运行,禁止查找具有过期密码的帐户.
I am currently working on a Powershell GUI script to help my team easier find accounts with expired passwords, disabled accounts etc and to output these to a CSV. It revolves almost entirely around the "Get-ADUser" command. So far almost everything has worked, bar finding accounts with expired passwords.
我已经对此进行了很多研究,但是似乎没有 easy 使用Get-ADUser查找过期帐户的方法.我知道我可以改用 Search-ADAccount ,但是这样做很尴尬(因为我需要重新编写很多代码).
I've researched this a lot already but there seems to be no easy way of finding expired accounts using Get-ADUser. I know I can use Search-ADAccount instead but it would be very awkward to do so (as I would need to re-write a lot of code).
Get-Aduser -Properties * -Filter {PasswordExpired -eq $ true} 只是一个空白.
例如,
Get-ADUser-属性*-过滤器* |?{$ _.PasswordExpired -eq $ True-和$ _.Enabled -eq $ true} |选择对象名称,已启用|Export-Csv"C:\ report.csv"-NoTypeInformation
工作正常,但是如果我尝试分配命令的中间",即
works just fine but if I try to assign the 'middle' of the command i.e
{$ _.PasswordExpired -eq $ True -and $ _.Enabled -eq $ true}
到变量,然后将其替换为命令,我得到一个错误,我广告中所有变量的列表或根本没有人.替换变量的合理性是考虑到可能的帐户状态(用户可以通过选择单选按钮进行选择).
to a variable and then substitute it into the command I either get an error, a list of all those in my AD or nobody at all. The rational for substituting in a variable is to allow for the possible account statuses (that the user can choose from by selecting a radio button).
我已经尝试了双引号和单引号的各种排列方式,包括但不包括大括号等,但是Powershell不会让我休息一下!
I've tried the various permutations of double and single quotes, including and not including curly brackets etc but Powershell will not give me a break!
谢谢!
推荐答案
Get-ADUser cmdlet公开了 PasswordExpired 扩展属性,该属性是一个布尔值,指示密码是否为已过期.它基于 msDS-User-Account-Control-Computed 属性.但是,您不能使用此属性进行过滤.
The Get-ADUser cmdlet exposes the PasswordExpired extended property, which is a boolean indicating if the password is expired. It is based on the msDS-User-Account-Control-Computed attribute. However, you cannot filter with this property.
这意味着您可以检查该属性上的UF_PASSWORD_EXPIRED位:
This would mean you can check the UF_PASSWORD_EXPIRED bit on that property:
Get-ADUser -Filter "Enabled -eq 'True'" -Properties 'msDS-User-Account-Control-Computed' |
Where-Object {($_.'msDS-User-Account-Control-Computed' -band 0x800000) -eq 0x800000} | # UF_PASSWORD_EXPIRED --> 0x800000 = 8388608
Select-Object Name, Enabled | Export-Csv "C:\report.csv" -NoTypeInformation
您可以通过扩展过滤器以排除使用 PasswordNeverExpires 和 PasswordNotRequired 都为$ false的用户来加快上述过程:
You can speed up the above by extending the filter to rule out users with PasswordNeverExpires and PasswordNotRequired both $false:
$filter = "Enabled -eq 'True' -and PasswordNeverExpires -eq 'False' -and PasswordNotRequired -eq 'False'"
Get-ADUser -Filter $filter -Properties PasswordNeverExpires, PasswordNotRequired, 'msDS-User-Account-Control-Computed' |
Where-Object {($_.'msDS-User-Account-Control-Computed' -band 0x800000) -eq 0x800000} | # UF_PASSWORD_EXPIRED --> 0x800000 = 8388608
Select-Object Name, Enabled | Export-Csv "C:\report.csv" -NoTypeInformation
这篇关于Get-ADUser-搜索过期的帐户.在命令中使用变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
