Finding users that can change their password

Way back in this post

I showed how to discover those users who can’t change their passwords. I was recently asked how to find those users that can change their password.

Active Directory doesn’t store this information directly but the CannotChangePassowrd attribute is  false for those users that can change their password

£> Get-ADUser -Identity richard -Properties CannotChangePassword

CannotChangePassword : False
DistinguishedName    : CN=Richard,CN=Users,DC=Manticore,DC=org
Enabled              : True
GivenName            :
Name                 : Richard
ObjectClass          : user
ObjectGUID           : 7c42be70-c6b2-401f-8296-46de9ee7446c
SamAccountName       : Richard
SID                  : S-1-5-21-195014076-723736408-1406369008-1104
Surname              :
UserPrincipalName    :

So is you don’t mind using double negative logic you can find users that can change passwords like this:

Get-ADUser -Filter * -Properties CannotChangePassword |
where {-not $_.CannotChangePassword } |
Format-Table Name, DistinguishedName

I’ve restricted the properties brought back to the default ones plus CannotChangePassword


-not $_.CannotChangePassword

as a filter to determine the users that have the attribute set to false

You could also use

! $_.CannotChangePassword

but I prefer using –not as its easier to read

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s