Powershell Active Directory Get Expired Users-CodePudding

this is my first time on Stack Overflow so please have mercy :)

Im trying to create a Powershell GUI to do a search request on our Active directory that shows me all expired and soon expiring User Accounts. I tried it with the following function.

I get an syntax error in my request (Get-ADUser)...

Error Message in Powershell ISE

$ShowExpiring.Add_Click({
     $ADUserSearch.Visible = $False
     $CheckDisabled.Visible = $False
     $ShowExpiring.Visible = $False
     $Back.Visible = $True
     $Results.Visible = $True
     $Results.Clear()
     $Results.ScrollBars = "Vertical"
 Import-Module ActiveDirectory
     $CurrentDate = Get-Date
     $ExpiringPasswords = Get-ADUser -Filter '((PasswordExpired -eq $True) -or (PasswordLastSet -le ((get-date).AddDays(-((get-addefaultdomainpolicy).MaxPasswordAge.Days)))))' -Properties Name,PasswordLastSet
 if($ExpiringPasswords) {
         $ExpiringPasswords = $ExpiringPasswords | sort PasswordLastSet
 foreach ($User in $ExpiringPasswords) {
 if ($User.PasswordLastSet -lt (Get-Date).AddDays(-((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days))) {
                 $Results.SelectionColor = "Red"
 else {
                 $Results.SelectionColor = "Orange"
             }
             $Results.AppendText("Username: $($User.Name)  Expiration Date: $($User.PasswordLastSet)`n")
         }
 else {
    $Results.AppendText("No passwords expiring or already expired.")
     }
 })

I also tried it with this code which gives me no error message but also no result from disabled users:

$ShowExpiring.Add_Click({
     $ADUserSearch.Visible = $False
     $CheckDisabled.Visible = $False
     $ShowExpiring.Visible = $False
     $Back.Visible = $True
     $Results.Visible = $True
     $Results.Clear()
     $Results.ScrollBars = "Vertical"
 Import-Module ActiveDirectory
     $CurrentDate = Get-Date
     $ExpiringPasswords = (Search-ADAccount -AccountExpired -UsersOnly | select Name, @{n='ExpirationDate';e={[datetime]::FromFileTime($_.AccountExpirationDate)}})   (Search-ADAccount -AccountExpiring -TimeSpan (New-TimeSpan -Days 10) -UsersOnly | select Name, @{n='ExpirationDate';e={[datetime]::FromFileTime($_.AccountExpirationDate)}})
 if($ExpiringPasswords) {
         $ExpiringPasswords = $ExpiringPasswords | sort ExpirationDate
 foreach ($User in $ExpiringPasswords) {
 if ($User.ExpirationDate -lt $CurrentDate) {
                 $Results.SelectionColor = "Red"
 else {
                 $Results.SelectionColor = "Orange"
             }
             $Results.AppendText("Username: $($User.Name)  Expiration Date: $($User.ExpirationDate)`n")
         }
 else {
         $Results.AppendText("No passwords expiring or already expired.")
     }
 })

Thank you for helping me.

CodePudding user response：

The reason for your syntax error is likely the fact that you are trying to use

Get-ADDefaultDomainPolicy

...which does not exist. What you're looking for is

Get-ADDefaultDomainPasswordPolicy

Here is some code that you should substitute in the appropriate place in your first example. I broke things down a little bit to make the code/filter easier to understand, but you can recombine it if you are so inclined to do so.

$MaxPasswordAgeDays = $(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$OldestAcceptablePasswordLastSetDate = $(Get-Date).AddDays(-$MaxPasswordAgeDays)
$ExpiringPasswords = Get-ADUser -Filter {PasswordExpired -eq $True -or PasswordLastSet -le $OldestAcceptablePasswordLastSetDate} -Properties Name,PasswordLastSet

I would suggest using { } instead of single quotes ' ' so that your Powershell editor can help you with intellisense and syntax highlighting rather than the single quotes in your example. Aside from that, if you ever encounter syntax errors, I would recommend trying to break it down as I did above to help you understand which part of your code (in this case, your filter) is failing. I discovered rather quickly that you were trying to use a non-existent cmdlet by doing so.