We can get the list of AD users who should change their password at the next logon using Active Directory powershell cmdlet Get-ADUser. In this article, I am going to write Powershell script to list of AD users who have the setting “Change Password At the Next Logon” enabled and export AD users to CSV file.
Use the following command to import Active Directory cmdlets.
Import-Module ActiveDirectory
List AD users with change password at the next logon:
Get-ADUser -LDAPFilter "(pwdLastSet=0)" | Select SamAccountName,distinguishedName
Export AD Users with with Change Password at Next Logon to CSV using Powershell
We can export powershell output into CSV file using Export-CSV cmdlet. The following command export selected properties of all the AD users with change password at next the logon to CSV file.
Import-Module ActiveDirectory Get-ADUser -LDAPFilter "(pwdLastSet=0)" | Select SamAccountName,distinguishedName | Export-CSV "C:\ChangePasswordAtNextLogon.csv" -NoTypeInformation -Encoding UTF8
Advertisement
Thanks – just what I needed!
How can I restrict the above Get-ADUser enquiry to only apply to a particular OU in the tree? Thanks.
You have to set your required OU in SearchBase parameter
Get-ADUser -LDAPFilter “(pwdLastSet=0)” -SearchBase “OU=TestOU,DC=TestDomain,DC=com” | Select SamAccountName,distinguishedName
how do you exclude disabled accounts?
Get-ADUser -LDAPFilter “(pwdLastSet=0)” -SearchBase “OU=TestOU,DC=TestDomain,DC=com” | Where {Enabled -eq $true} | Select SamAccountName,distinguishedName