How to get a list of AD users that are set to change password at next logon

Vahid 0 Reputation points
2024-06-19T22:39:41.01+00:00

Hello,
I am trying to export a list of all users in AD including a column for "ChangePasswordAtLogon" attribute. I have tried a lot of different variations but none of them have worked. This is one of the formats that didn't work.
get-aduser -filter * -properties * | select SamAccountName, @{name='ChangePasswordAtLogon';expression={$_.ChangePasswordAtLogon -join";"}}, DistinguishedName

The value shows as blank in CLI output. And when exporting to CSV, it shows up as "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection"

PasswordLastSet -eq'0' filter doesn't return the correct set of users either.

Is there a way to create a list of all users that includes this value either with PowerShell, LDIFF or any other tool?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,208 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,453 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,300 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Marcin Policht 17,850 Reputation points MVP
    2024-06-19T23:06:04.24+00:00

    Try the following:

    # Import the Active Directory module
    Import-Module ActiveDirectory
    # Get all AD users with the necessary properties
    $users = Get-ADUser -Filter * -Properties SamAccountName, ChangePasswordAtLogon, DistinguishedName
    # Select the desired properties and export to CSV
    $users | Select-Object SamAccountName, @{Name='ChangePasswordAtLogon';Expression={($_.ChangePasswordAtLogon -eq $true)}}, DistinguishedName | Export-Csv -Path "ADUsers.csv" -NoTypeInformation
    
    

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin


  2. Vahid 0 Reputation points
    2024-06-20T14:48:42.1533333+00:00

    Some other iterations that I have tried are these. none of them produce the right result.
    Get-ADUser -Filter {Changepasswordatlognon -eq $true} | Select-Object SamAccountName, DistinguishedName

    Get-ADUser -filter * -properties * | Select SamAccountName,distinguishedName | where {$_.ChangePasswordAtlogon -eq $true}

    get-aduser -filter * -properties * | select SamAccountName, pwdlastSet

    Get-ADUser -Filter * -server localhost –Properties * | Select-Object -Property "samaccountname",@{Name="pwdLastSet";Expression={[datetime]::FromFileTime($_."pwdLastSet")}},@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

    0 comments No comments

  3. Rich Matheisen 45,756 Reputation points
    2024-06-20T15:03:03.7433333+00:00

    Have a look at this: https://4sysops.com/archives/find-ad-accounts-with-changepasswordatlogon-set-and-enforce-password-change-with-powershell/

    If you're only interested users with that particular value set, you'd do better by using a -Filter parameter.

    Watch out for the interaction with other properties. E.g., can the user change its password? Has a password ever been set on this account?

    0 comments No comments