Server 2012 query question

So I found out the client I service had a lot of user accounts with "Password Never Expired" checked. Why this isn't a group policy for the User OU, I have no idea, but he wants it to be changed manually. There's about 120 users and a lot of them are remote so they'll get locked out of their machines/applications since they won't be on a DC. I have a group of people I manage that can resolve this fairly quickly by calling each user, unchecking the option and resetting the password, however we ran into an issue.

I am able to go into AD admin center and run a query on all users in that OU that have this checked, however the client wants to send them an email first so that some of them can reset their password on their own (and so it's more "official") and save us legwork. He wanted me to export it from the server they're running. However, I google'd the heck out of this but couldn't find a way to run a search/query to output email addresses of users in that particular OU that have "Password Never Expires".

I tried several commands in Powershell, I tried a query in AD, and the filtering options in the AD admin center don't have any option for email. Anyone have any ideas?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Deathmage

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

better brew a large pot of coffee and order up a large pie of patience....

markulous

Lol. I was hacking on it for like an hour and a half but had to leave to pick up my kids. The client said it would be quick and easy and I can just Google it. Of course it wasn't at all as I don't have a ton of experience doing this.

Probably quicker just to look up each person individually in AD or exchange and jot down their email address.

nster

Just to clarify, you want to export a list of people's e-mails for all users in a particular OU who have the passwordneverexpire property, and their e-mails are not necessarily username+domain, right?

Qord

In active directory, is the email property populated with the correct email address? Like, is that the email address you'd use to send the heads up email?

markulous

nster wrote: »

Just to clarify, you want to export a list of people's e-mails for all users in a particular OU who have the passwordneverexpire property, and their e-mails are not necessarily username+domain, right?

Exactly.

markulous

Qord wrote: »

In active directory, is the email property populated with the correct email address? Like, is that the email address you'd use to send the heads up email?

Yes it is correct.

nster

Would something like this work?

Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -SearchBase "OU=AccUsers,OU=TestUsers,DC=LOL,DC=com" -Properties passwordneverexpires, emailaddress | Sort-Object Name | Select-Object Name, passwordneverexpires, emailaddress | Export-Csv -Path C:\Users\administrator\Desktop\test.csv

I actually installed a VM for the first time on my PC and Server 2012 to try this out xD

markulous

I'll have to try that when I'm able to get on the server. I used a similar syntax and it didn't work.

markulous

nster wrote: »

Would something like this work?

Get-ADUser -Filter 'PasswordNeverExpires -eq $true' -SearchBase "OU=AccUsers,OU=TestUsers,DC=LOL,DC=com" -Properties passwordneverexpires, emailaddress | Sort-Object Name | Select-Object Name, passwordneverexpires, emailaddress | Export-Csv -Path C:\Users\administrator\Desktop\test.csv

I actually installed a VM for the first time on my PC and Server 2012 to try this out xD

Tried that but I keep getting the error that I was getting before which is "Get-ADUser: Directory Object not found".

markulous

Got it figured out. By going the opposite direction in the OU, that worked using:

Search-ADAccount -Users Only -PasswordNeverExpires -SearchBase "ou=z,ou=y,ou=x,dc=ad,dc=blah,dc=com" | Get AD-User -Properties Mail | Select Mail | Export-CSV C:\users

Also, Search-ADAccount won't find email addresses so I had to use Get AD-User for that and the former to search the Password Never Expires.

knownhero

markulous wrote: »

Got it figured out. By going the opposite direction in the OU, that worked using:

Search-ADAccount -Users Only -PasswordNeverExpires -SearchBase "ou=z,ou=y,ou=x,dc=ad,dc=blah,dc=com" | Get AD-User -Properties Mail | Select Mail | Export-CSV C:\users

Also, Search-ADAccount won't find email addresses so I had to use Get AD-User for that and the former to search the Password Never Expires.

Would you like the script to also email each user? I could get something basic put up for you if you want.

markulous

knownhero wrote: »

Would you like the script to also email each user? I could get something basic put up for you if you want.

They don't host exchange, so would it work on O365? Their admin just wanted a text file that was formatted email;email;email so I sent him that. I'm not sure how he plans to send the email as I don't know the maximum number of recipients that are set. I think he's good with what I gave him but thank you for the offer.

nster

markulous wrote: »

Got it figured out. By going the opposite direction in the OU, that worked using:

Search-ADAccount -Users Only -PasswordNeverExpires -SearchBase "ou=z,ou=y,ou=x,dc=ad,dc=blah,dc=com" | Get AD-User -Properties Mail | Select Mail | Export-CSV C:\users

Also, Search-ADAccount won't find email addresses so I had to use Get AD-User for that and the former to search the Password Never Expires.

easiest way is to go in the properties of the OU you want and see what is written under distinguishedName, often times it's CN vs OU thing and also import-module activedirectory if not in the AD... otherwise maybe a permission thing? That's all the possibilities I can think of on the top of my head.

markulous

nster wrote: »

easiest way is to go in the properties of the OU you want and see what is written under distinguishedName, often times it's CN vs OU thing

Ah, good tip. Just looked there and it confirms what the powershell command looked at.