Server 2012 query question

markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
So I found out the client I service had a lot of user accounts with "Password Never Expired" checked. Why this isn't a group policy for the User OU, I have no idea, but he wants it to be changed manually. There's about 120 users and a lot of them are remote so they'll get locked out of their machines/applications since they won't be on a DC. I have a group of people I manage that can resolve this fairly quickly by calling each user, unchecking the option and resetting the password, however we ran into an issue.

I am able to go into AD admin center and run a query on all users in that OU that have this checked, however the client wants to send them an email first so that some of them can reset their password on their own (and so it's more "official") and save us legwork. He wanted me to export it from the server they're running. However, I google'd the heck out of this but couldn't find a way to run a search/query to output email addresses of users in that particular OU that have "Password Never Expires".

I tried several commands in Powershell, I tried a query in AD, and the filtering options in the AD admin center don't have any option for email. Anyone have any ideas?

Comments

  • DeathmageDeathmage Posts: 2,496Banned
    REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

    better brew a large pot of coffee and order up a large pie of patience.... icon_wink.gif
  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    Lol. I was hacking on it for like an hour and a half but had to leave to pick up my kids. The client said it would be quick and easy and I can just Google it. Of course it wasn't at all as I don't have a ton of experience doing this.

    Probably quicker just to look up each person individually in AD or exchange and jot down their email address.
  • nsternster Posts: 231Member
    Just to clarify, you want to export a list of people's e-mails for all users in a particular OU who have the passwordneverexpire property, and their e-mails are not necessarily username+domain, right?
  • QordQord Senior Member Posts: 627Member ■■■■□□□□□□
    In active directory, is the email property populated with the correct email address? Like, is that the email address you'd use to send the heads up email?
  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    nster wrote: »
    Just to clarify, you want to export a list of people's e-mails for all users in a particular OU who have the passwordneverexpire property, and their e-mails are not necessarily username+domain, right?

    Exactly.
  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    Qord wrote: »
    In active directory, is the email property populated with the correct email address? Like, is that the email address you'd use to send the heads up email?

    Yes it is correct.
  • nsternster Posts: 231Member
    Would something like this work?

    Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -SearchBase "OU=AccUsers,OU=TestUsers,DC=LOL,DC=com" -Properties passwordneverexpires, emailaddress | Sort-Object Name | Select-Object Name, passwordneverexpires, emailaddress | Export-Csv -Path C:\Users\administrator\Desktop\test.csv

    I actually installed a VM for the first time on my PC and Server 2012 to try this out xD
  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    I'll have to try that when I'm able to get on the server. I used a similar syntax and it didn't work.
  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    nster wrote: »
    Would something like this work?

    Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -SearchBase "OU=AccUsers,OU=TestUsers,DC=LOL,DC=com" -Properties passwordneverexpires, emailaddress | Sort-Object Name | Select-Object Name, passwordneverexpires, emailaddress | Export-Csv -Path C:\Users\administrator\Desktop\test.csv

    I actually installed a VM for the first time on my PC and Server 2012 to try this out xD

    Tried that but I keep getting the error that I was getting before which is "Get-ADUser: Directory Object not found".
  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    Got it figured out. By going the opposite direction in the OU, that worked using:

    Search-ADAccount -Users Only -PasswordNeverExpires -SearchBase "ou=z,ou=y,ou=x,dc=ad,dc=blah,dc=com" | Get AD-User -Properties Mail | Select Mail | Export-CSV C:\users

    Also, Search-ADAccount won't find email addresses so I had to use Get AD-User for that and the former to search the Password Never Expires.
  • knownheroknownhero Posts: 450Member
    markulous wrote: »
    Got it figured out. By going the opposite direction in the OU, that worked using:

    Search-ADAccount -Users Only -PasswordNeverExpires -SearchBase "ou=z,ou=y,ou=x,dc=ad,dc=blah,dc=com" | Get AD-User -Properties Mail | Select Mail | Export-CSV C:\users

    Also, Search-ADAccount won't find email addresses so I had to use Get AD-User for that and the former to search the Password Never Expires.

    Would you like the script to also email each user? I could get something basic put up for you if you want.
    70-410 [x] 70-411 [x] 70-462[x] 70-331[x] 70-332[x]
    MCSE - SharePoint 2013 :thumbup:

    Road map 2017: JavaScript and modern web development

  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    knownhero wrote: »
    Would you like the script to also email each user? I could get something basic put up for you if you want.

    They don't host exchange, so would it work on O365? Their admin just wanted a text file that was formatted email;email;email so I sent him that. I'm not sure how he plans to send the email as I don't know the maximum number of recipients that are set. I think he's good with what I gave him but thank you for the offer.
  • nsternster Posts: 231Member
    markulous wrote: »
    Got it figured out. By going the opposite direction in the OU, that worked using:

    Search-ADAccount -Users Only -PasswordNeverExpires -SearchBase "ou=z,ou=y,ou=x,dc=ad,dc=blah,dc=com" | Get AD-User -Properties Mail | Select Mail | Export-CSV C:\users

    Also, Search-ADAccount won't find email addresses so I had to use Get AD-User for that and the former to search the Password Never Expires.

    easiest way is to go in the properties of the OU you want and see what is written under distinguishedName, often times it's CN vs OU thing and also import-module activedirectory if not in the AD... otherwise maybe a permission thing? That's all the possibilities I can think of on the top of my head.
  • markulousmarkulous Posts: 2,375Member ■■■■■■■■□□
    nster wrote: »
    easiest way is to go in the properties of the OU you want and see what is written under distinguishedName, often times it's CN vs OU thing

    Ah, good tip. Just looked there and it confirms what the powershell command looked at.
Sign In or Register to comment.