This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 85%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Hi community,
I am using a configuration baseline in MEM/SCCM to query members of the local administrators group on all of my endpoints and upload them to the MEM/SCCM DB where I can report on it. I am using the powershell script at https://tcsmug.org/blogs/sherry-kissinger/568-cm-all-members-of-all-local-groups-powershell to do this. This script will load the local group members into a custom WMI class and then the SCCM hardware scans will upload the WMI class data into the DB.
I am trying to expand the script to include the date/time of when the passwords for any member accounts were last set. The group members could be either local or domain users. For local users, I have been able to make changes to the script to retrieve the password info on the local machine, and load it into to a new property (PasswordLastSet) I added to the custom WMI class (CM_LocalGroupMembers.) Because there is no guarantee a PC will be connected to the company network and have line of sight to the on-prem AD domain when the baseline runs, I think the best way to query the password info for domain accounts is to query the user in Azure AD (AAD). The problem I am having is figuring out how to query AAD at the same time as the local PC or how to get started. I know there is a need to load the MSonline module to make the Get-MsolUser cmdlet available, which I have added to the script. I know I will need to specify a user that will log into AAD to query it, which I will add when I am ready to automate this. For testing, I manually add Connect-MsolService to the script and log in interactively when i run it. What I am not understanding is how to query AAD specifically for a domain user and add the found password info to WMI at the same time as for local users since there is already a line in the script to populate the PasswordLastSet property with local user info.
This ForEach statement returns the members from each local group and the local accounts are queried from there.
ForEach ($TheName in $Groups) {
$Values1 = Get-LocalGroupMember -name $TheName.Name | select ObjectClass, Name, PrincipalSource
I plan to use the same results in $Values1 for the AAD query but I am having trouble figuring out the best way to format the usernames so they are ******@domain.com as opposed to domain\username. I've created a bunch of additional ForEach statements for this purpose but I'm not getting the results I need and I think I may be overthinking it. Also, if I approach it from this angle, how do I go about populating the WMI with both local and domain password info? My Powershell skills are not the best but I got pretty far from where I started. I have attached the script with my latest changes works for local accounts here MainScript_PswdLastSet.txt. Any suggestions on where to go from here are appreciated.
The changes I have made from the original script.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query
You can try using the following command instead:
Get-ADUser -Filter {memberOf -eq 'CN=Local Admins,DC=example,DC=com'} -Properties LastPasswordSet |
Select-Object Name, LastPasswordSet
If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.
Hi and thanks for responding. I can't use Get-AdUser to query AD because there is no guarantee the device will have line of sight to my on-prem AD infrastructure when the script runs. I will need to use Get-MSolUser to query Azure AD.
For some additional information, all of my workstations are Hybrid Azure AD joined. I have SCCM joined to my tenant with a CMG configured, and I am deploying the powershell script to all PCs. With this configuration, the script will run on a PC that is connected to the company network or if it is roaming the internet. The script will return the members the local administrators group on each PC it executes on. If a member user a local user to the PC, I have worked out querying the the local system for the last password set time. This is all in the script that I attached. I am not sure how to go about querying Azure AD for the last password set information for a domain user that is a member of the local administrator group.
Posting
Update: I have made progress and added the code below immediately after the Get-LocalUser command. Now that I have the results I need stored in two variables, I need to figure out how to write both to the class in WMI.
$DomainUser = $ReturnedValues.Name.Split("\")[1] + "@domain.com"
$DomainUserPswd = Get-MsolUser -UserPrincipalName $DomainUser | select UserPrincipalName, LastPasswordChangeTimestamp
Hello, my understanding is that you are now able to get the data that you need. Also, there's code to save it on a WMI class. What's missing?
Hello again, checking in to see if you still need help with this :)