Tried to Net use /domain but in our company we have 3 domains, and request is processed only for primary domain controller.
Is there any option to get this information without importing/loading AD module?
I have to convert the powershell script to exe, and use it without admin account.
Till now we used something like this, but it's a VBA: http://scripts.dragon-it.co.uk/links/vbscript-check-AD-password-expiry?OpenDocument&AutoFramed
CodePudding user response:
Perhaps using the DirectorySearcher class from the DirectoryServices namespace would be a potential option to explore?
With this approach, there's no need to load additional PowerShell modules and as long as the user you are running as has permission to connect via LDAP and read the AD attributes, you should be good.
Example code:
# Scope can be "Subtree" to search recursively, "OneLevel" to search only base and one level deep or "Base" to not recurse at all
$Scope = "Subtree"
# Filtering for user objects only
$Filter = "(&(objectClass=user)(!(objectClass=computer)))"
# Set the distinguished name of your root OU to search from here
$RootOU = "DC=contoso,DC=com"
# Create a new DirectorySearcher
$Searcher = New-Object DirectoryServices.DirectorySearcher
# Create a DirectoryEntry and configure with the root OU, scope and filter from above
$Searcher.SearchRoot = New-Object System.DirectoryServices.DirectoryEntry("LDAP://$($RootOU)")
$Searcher.Filter = $Filter
$Searcher.SearchScope = $Scope
# Configure loading of the samAccountName and msDS-UserPasswordExpiryTimeComputed properties from AD
$Searcher.PropertiesToLoad.AddRange(@("msDS-UserPasswordExpiryTimeComputed", "samAccountName"))
# Perform the search
$users = $Searcher.FindAll()
# Pull the samAccountName and msDS-UserPasswordExpiryTimeComputed attributes from the results
$users.GetEnumerator() |
Select @{Name="SamAccountName"; Expression={ $_.Properties["samAccountName"] }},
@{Name="PasswordExpiry"; Expression={ [DateTime]::FromFileTime($_.Properties["msds-userpasswordexpirytimecomputed"].item(0)) }}