我想将ADDefaultDomainPasswordPolicy放入AD树中的特定文件夹。 'OU=FOLDER,OU=FOLDER,DC=Domain,=DC=net'
我想搜索要在我设置的任何天数内到期的用户,以查找将要到期的用户帐户并创建报告。
我尝试过-server FQDN和-identity差异。
我也尝试过将SearchBase过滤器设置为FQDN ...我迷路了,但我仍然绿了。
Import-Module ActiveDirectory
#Set the number of days within expiration. This will start to send the email x number of days before it is expired.
$DaysWithinExpiration = 30
#Set the days where the password is already expired and needs to change. -- Do Not Modify --
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy -Identity spihost.net).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
$passwordDate = (Get-Date).addDays(-($MaxPwdAge - $DaysWithinExpiration))
#Filters for all users who's password is within $date of expiration.
$ExpiredUsers = Get-ADUser -searchbase "OU=SUBFOLDER,OU=MAINFOLDER,DC=DOMAIN,DC=com" -Filter {(PasswordLastSet -lt $passwordDate) -and (PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}}, @{name = "password"; Expression = {$_.mail}} | Sort-Object PasswordLastSet
# Rename CHANGEME to sitecode
$ExpiredUsers | Export-Csv -Path c:\temp\CHANGEME_30_days.csv
答案 0 :(得分:0)
不确定您需要做什么。 AD默认域密码策略绑定到AD域,而不绑定到OU。为了获得更高的粒度(即将策略应用于单个AD组),您需要使用精细粒度密码策略(FGPP) 看这里: https://blogs.technet.microsoft.com/canitpro/2013/05/29/step-by-step-enabling-and-using-fine-grained-password-policies-in-ad/