contact@securehero.com
Facebook
Twitter
Google+
LinkedIn
YouTube
  • PRODUCTS
    • FILE SYSTEM AUDITOR
    • GROUP REPORTER
    • LOGON REPORTER
    • PERMISSION REPORTER
  • PRICING
  • SUPPORT
  • BLOG
  • ABOUT US
  • CONTACT

Active Directory User and Group Reporting: Users with old passwords

September 3, 2015blogwp_admin

Checking when Active Directory users logged on last should not be the only criteria if you want to pinpoint stale user accounts reliably. Another method that can help with this judgement involves analyzing when user accounts had their password changed.

Indeed, in a well managed Active Directory environment password policies are normally set to anything between 30 and 90 days until user passwords expire. If passwords are expired, users can’t logon. Isn’t it a sign that such user accounts are no longer used?

Let’s take a look at the following PowerShell code snippet:

$90Days = (get-date).adddays(-90)

Get-ADUser -SearchBase “DC=TORONTO,DC=LOCAL” -filter {passwordlastset -le $90days} -Properties  passwordlastset | Select-Object name,  passwordlastset

Just like with the lastlogondate example we search for all user accounts that had their passwordlastset attribute updated longer than 90 days ago. This should pick up a lion share of users with old passwords.

There are a couple of exceptions though. If passwordlastset equals 0, then user account password is expired and user must change password at next logon. If passwordlastset equals -1, then user account password is set to never expire. Depending on the intended use of such accounts you might want to include them into a list of stale user accounts or not.

Combined analysis of lastlogondate and passwordlastset attributes will yield a more reliable conclusion about the status of user accounts and whether or not they should be disabled or removed. Here is another PowerShell script that shows how to find and remove inactive Active Directory Users in one turn.

<< Active Directory User and Group Reporting: A practical guide for administrators

Tags: inactive users, lastlogondate, passwordlastset, powershell, stale accounts
Previous post Active Directory User and Group Reporting: Users that have not logged on in the last X days Next post New product: Group Reporter!

Related Articles

Active Directory User and Group Reporting: Circular nested groups

June 8, 2015wp_admin

Active Directory User and Group Reporting: A practical guide for administrators

June 1, 2015wp_admin

Active Directory User and Group Reporting: Groups with same direct members

June 10, 2015wp_admin

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
  • New product: Group Reporter!
  • Active Directory User and Group Reporting: Users with old passwords

Archives

  • October 2016
  • May 2016
  • November 2015
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • February 2015
  • January 2015
  • October 2014
  • September 2014
  • July 2014
Facebook
Twitter
Google+
LinkedIn
YouTube

Recent Posts

  • Simplicity, Scalability and Stability
  • New Product: Permission Reporter!
  • SecureHero Management Platform 2.0 Released
home

Orange, CA 92866, US

mail

contact@securehero.com

PricingSupportPrivacy Policy
© 2017 SecureHero LLC