PowerShell-Scripts/ActiveDirectory.ps1 at main · LosmanDev/PowerShell-Scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
# INPUT: Either SamAccountName or EmployeeID

$userName = ""  # e.g. "john.doe" or "123456"

#Get-ADUser -Identity $userName -Server $dc -Properties *

$dc = (Get-ADDomain).PDCEmulator
$dc.MaxPasswordAge

$commonParams = @{
    Server     = $dc
    Properties = @(
        'Enabled', 'Created', 'whenChanged', 'CanonicalName', 'DisplayName', 'accountExpires', 'AccountExpirationDate',
        'pwdLastSet', 'City', 'Department', 'directReports', 'EmployeeID', 'HomeDrive',
        'homePostalAddress', 'LastBadPasswordAttempt','LastLogonDate',  'Manager',
        'msDS-cloudExtensionAttribute7', 'msDS-cloudExtensionAttribute6', 'msDS-cloudExtensionAttribute14',
        'Office', 'OfficePhone', 'otherMobile', 'PostalCode', 'proxyAddresses',
        'SamAccountName', 'State', 'StreetAddress', 'Title', 'UserPrincipalName', 'msDS-cloudExtensionAttribute3', 'msDS-cloudExtensionAttribute15'
    )
}


if ($userName -match '^\d+$') {

    $user = Get-ADUser -Filter "EmployeeID -eq '$userName'" @commonParams |
    Select-Object -First 1
}
else {

    $user = Get-ADUser -Identity $userName @commonParams
}

if (-not $user) {
    Throw "No user found matching '$userName'."
}

$pwdLastSetDt = [DateTime]::FromFileTime($user.pwdLastSet)
$pwdExpiryDt = $pwdLastSetDt.AddDays(180)
$daysLeft = ($pwdExpiryDt.Date - (Get-Date).Date).Days


if (-not $user.Enabled) {

    [PSCustomObject]@{
        'SamAccountName' = $user.SamAccountName
        'Status'         = 'Disabled'
        'LastModifiedOn' = $user.whenChanged
        'OUPath'         = $user.CanonicalName
        'Legal Hold'     = $user.'msDS-cloudExtensionAttribute7'
        'Manager'        = $user.Manager
        'Title'          = $user.Title
        'Department'     = $user.Department
        'Home Email'     = $user.'msDS-cloudExtensionAttribute3'
        'Hidden'         = $user.'msDS-cloudExtensionAttribute15'
    } | Format-List
}
else {
    # Enabled account: all the fields
    $report = [ordered]@{
        'Created'              = $user.Created
        'DisplayName'          = $user.DisplayName
        'User Principal Name'  = $user.UserPrincipalName
        'SamAccountName'       = $user.SamAccountName
        'Employee ID'          = $user.EmployeeID
        'Title'                = $user.Title
        'Department'           = $user.Department
        'OU Path'              = $user.CanonicalName
        'Home Email'           = $user.'msDS-cloudExtensionAttribute3'
        'Office'               = $user.Office
        'Office Phone'         = $user.OfficePhone
        'Mobile'               = $user.otherMobile
        'Street Address'       = $user.StreetAddress
        'City, State, ZIP'     = "$($user.City), $($user.State) $($user.PostalCode)"
        'Home Postal Address'  = $user.homePostalAddress
        'Employment'           = $user.'msDS-cloudExtensionAttribute6'
        'Hidden'               = $user.'msDS-cloudExtensionAttribute15'
        'Home Drive'           = $user.HomeDrive
        'Proxy Addresses'      = ($user.proxyAddresses -join ", ")
        #'Direct Reports'       = ($user.directReports -join ", ")
        'Manager'              = $user.Manager
        'Cloud Ext Attr 14'    = $user.'msDS-cloudExtensionAttribute14'
        'Last Bad Password At' = $user.LastBadPasswordAttemptS
        'Password Last Set'    = $pwdLastSetDt
        'Password Expires'     = "$pwdExpiryDt ($daysLeft days left)"
        'Enabled?'             = $user.Enabled
        'LastModifiedOn'       = $user.whenChanged
        'Legal Hold'           = $user.'msDS-cloudExtensionAttribute7'
        'Account Expires'      = $user.AccountExpirationDate
    }

    # Display as a neat vertical list—you can swap to Format-Table if you prefer columns
    [PSCustomObject]$report | Format-List

}

#Set-ADAccountPassword -Identity $username -NewPassword (ConvertTo-SecureString '' -AsPlainText -Force) -Reset -COnfirm:$true


#Get-ADDefaultDomainPasswordPolicy | Select-Object MaxPasswordAge, MinPasswordAge, PasswordHistoryCount, MinPasswordLength, LockoutThreshold, LockoutDuration, LockoutObservationWindow