With a recent change to our password policy, some users’ passwords began expiring more frequently than before. This has had our phone support seeing an increase in calls. In order to monitor the situation, we wanted to see numbers for those groups regarding how many accounts had expired passwords and were another potential phone call.
This script is written with a function for easy code re-use. In the example script, I am querying two different collections of users as they are separated into different OUs in our AD. You could use just one query at the top to find all users but for my purpose, the split was helpful. I suppose you could add more logic to determine users by group membership rather than solely by OU. To query more groups, just reproduce the line:
query [FriendlyNameOfGroup] “Distinguished name of OU in AD where these users (and only these users) reside”
The script calls the function and determines all users that are enabled and do not have a policy setting “password never expires”. It then determines how many of that total are currently expired, including a percentage. We also look 30 days out to see how many more users will expire in the next 30 days based on the msDS-UserPasswordExpiryTimeComputed attribute. As we have been communicating the change to users and directing them to change their password, we should hopefully start seeing that number decrease.
The output then shows the total number of users in that group, the number and percentage of those with expired passwords, and the count of those with passwords that will expire in 30 days.
It’s a pretty simple script but provided good experience querying AD, performing calculations, and formatting output.
https://gist.github.com/jhamilton09/17ba2b8a899718bd95e9b216aeb734f5