Finding users that can change their password

Way back in this post

https://richardspowershellblog.wordpress.com/2012/02/10/finding-users-who-cannot-change-password/

I showed how to discover those users who can’t change their passwords. I was recently asked how to find those users that can change their password.

Active Directory doesn’t store this information directly but the CannotChangePassowrd attribute is  false for those users that can change their password

£> Get-ADUser -Identity richard -Properties CannotChangePassword

CannotChangePassword : False
DistinguishedName    : CN=Richard,CN=Users,DC=Manticore,DC=org
Enabled              : True
GivenName            :
Name                 : Richard
ObjectClass          : user
ObjectGUID           : 7c42be70-c6b2-401f-8296-46de9ee7446c
SamAccountName       : Richard
SID                  : S-1-5-21-195014076-723736408-1406369008-1104
Surname              :
UserPrincipalName    : Richard@Manticore.org

So is you don’t mind using double negative logic you can find users that can change passwords like this:

Get-ADUser -Filter * -Properties CannotChangePassword |
where {-not $_.CannotChangePassword } |
Format-Table Name, DistinguishedName

I’ve restricted the properties brought back to the default ones plus CannotChangePassword

Use

-not $_.CannotChangePassword

as a filter to determine the users that have the attribute set to false

You could also use

! $_.CannotChangePassword

but I prefer using –not as its easier to read

Advertisements
This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s