You could argue that this isn't necessary, and you would not be wrong. Those groups now contain field names that are more user friendly as well. The result is we have taken the information from our original lookup and have split the data into two smaller groups. PasswordLastSet = $Employee.PasswordLastSet ![]() Using arrays lets me rename fields in Active Directory like "given name" and "surname" to more commonly used names like FirstName and LastName. I could feed that data from Get-ADUser into two separate arrays, and then I could display each array separately. Now that I have all the fields I need, I can work on breaking up the original output into two distinct groups (employee information and account status information), but using S elect-Object to display the fields probably isn’t going to give me the desired result. ![]() Here I convert the msDs-UserPasswordExpiryTimeComputed value to a readable date value and save the output to a variable named $PasswordExpiry $PasswordExpiry = ::FromFileTime($Employee.'msDS-UserPasswordExpiryTimeComputed') The first thing I need to do is add the field " msDS-UserPasswordExpiryTimeComputed " to my original Get-ADuser query, and then I need to convert the data returned to a format we can make sense of. I'll need to make two changes to get the desired result. The password expiration is tricky because it's a special field that isn't easy to find if you don't know what you’re looking for and the value is not in a human-readable form by default. $Manager = ((Get-ADUser $Employee.manager).samaccountname) I am using Get-ADUser a second time to look up the S amAccountName of the manager and then I am saving that value to a variable named $Manager. This is not what I wanted, but you may like this field better for your version of this script. I used SAMAccountName because the DisplayName is listed as Last name, First name. We can fix this by doing a lookup on the manager's name and returning the manager's SAMAccountName. The manager field is not formatted as I would prefer: I would like to see first name and last name. Let's address the two problem fields first. But the fields are not organized in any way, and the output is just a long table. Also, when I look at these fields, I see two sets of data: employee information and account status information. ![]() We're close, but we must make it simple to type. I certainly wouldn't expect someone to type in all that data over and over. However, it isn't the most elegant solution, and more importantly, the output above is missing the password-expiration date, and the manager field is not easily readable. We could stop right here and call it a day, and for many people this would a usable solution. Overall, this is close to what I am looking to achieve. This syntax works fine and gets us most of what we need without a ton of work. The block of code above produces the following output: get-aduser username -Properties * | Select-Object GivenName, Surname, SamAccountName, Manager, DisplayName, `Ĭity, EmailAddress, EmployeeID, Enabled, Department, OfficePhone, MobilePhone, LockedOut, LockOutTime, AccountExpirationDate, ` However, you usually can't expect helpdesk staff to be typing in super-long commands like the one below to get the info they need. Of course, you can just run Get-ADUser to retrieve information about Active Directory users. The tool also needs to be simple for my helpdesk staff to use since they sometimes deal with a large volume of calls. Finally, I also need to display the common employee info fields (name, address, department, manager, title, etc.). ![]() I would also like to know if the account is locked out. My goal is make it simple to display all the relevant the Active Directory fields related to user account status, account expiration, password status, as well as when they last set their password and when it will expire.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |