Adaxes

Passwords not changed in 365 days, blank attribute

0 votes

I'm trying to modify this report to only output results where employeeType equals the values below. It reports fine. I would also like to include where employeeType is blank or has no value. I can't seem to figure out how to set the search filter to a blank or null value.

# Build search filter
$threshold = (Get-Date).AddDays(- $days)
$thresholdInt64 = $threshold.ToFileTime()

$filterUsers = "(&(sAMAccountType=805306368)(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7276219883574))))"
$filterPasswordLastSet = "(&(!(pwdLastSet=0))(pwdLastSet<=$thresholdInt64))"
$enabledUser = "(&(!(userAccountControl:1.2.840.113556.1.4.803:=514)))"
$customAttribute = "(|(employeeType=service)(|(employeeType=admin)))"
$filter = "(&" + $filterUsers + $filterPasswordLastSet + $customAttribute + $enabledUser + ")"
by (180 points)
0

Hello,

For us to suggest a solution, please, provide us with the below details. You can post them here or send to us at support@adaxes.com.

  • A screenshot of the Multi-server environment dialog. The dialog displays how many Adaxes services you have and what their versions are. For information on how to view it, see https://www.adaxes.com/help/MultiServerEnvironment.
  • The entire script you are using.
  • If the script is from a built-in report, specify the report name.
by (272k points)
0

The script is built in - Passwords not changed in 300 days.

Here is the full script with my small modification to filter employeeType.

# Get parameter values
$days = $Context.GetParameterValue("param-Days")
$highlight = $Context.GetParameterValue("param-Highlight") -eq "1"

# To highlight users who can log in, we need account options and the account expiration date
if ($highlight)
{
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("userAccountControl")
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.Add("accountExpires")
}

# Build search filter
$threshold = (Get-Date).AddDays(- $days)
$thresholdInt64 = $threshold.ToFileTime()

$filterUsers = "(&(sAMAccountType=805306368)(|(!(msExchRecipientTypeDetails=*))(!(msExchRecipientTypeDetails:1.2.840.113556.1.4.804:=7276219883574))))"
$filterPasswordLastSet = "(&(!(pwdLastSet=0))(pwdLastSet<=$thresholdInt64))"
$enabledUser = "(&(!(userAccountControl:1.2.840.113556.1.4.803:=514)))"
$customAttribute = "(|(employeeType=admin)(|(employeeType=service)))"
$filter = "(&" + $filterUsers + $filterPasswordLastSet + $customAttribute + $enabledUser + ")"

# Append the search filter
$Context.DirectorySearcher.AppendFilter($filter)

# Generate report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Highlight users who can log in
        $itemStyle = $NULL
        if ($highlight -and
            -not $Context.IsAccountDisabled($searchResult) -and
            -not $Context.IsAccountExpired($searchResult))
        {
            # Create a style for highlighted objects
            if ($styleHighlighted -eq $NULL)
            {
                $styleHighlighted = $Context.Items.CreateItemStyle($NULL, "#f5f7de",
                    "ADM_LISTITEMFONTSTYLE_REGULAR")
            }
            $itemStyle = $styleHighlighted
        }

        $Context.Items.Add($searchResult, $NULL, $itemStyle)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

image.png

by (180 points)
0

Hello,

Sorry for the confusion, but there is no such built-in report. Please, provide the entire script you are using.

by (272k points)
0

I have attached it to the first comment.

by (180 points)

1 Answer

0 votes
by (272k points)
selected by
Best answer

Hello,

Yes, you are right, sorry for missing it. As we can see, you are using Adaxes 2023.2 and the script from built-in report Passwords changed long ago. Starting with version 2023, criteria was added to Adaxes and that is something you should use instead of LDAP filters. For details on how to build criteria, see https://adaxes.com/sdk/HowDoI.BuildCriteria. We updated your script accordingly and added the options you requested. Here is the final script:

# Get parameter values
$days = $Context.GetParameterValue("param-Days")
$highlight = $Context.GetParameterValue("param-Highlight") -eq "1"

# To highlight users who can log in, we need account options and the account expiration date
if ($highlight)
{
    $Context.DirectorySearcher.SearchParameters.PropertiesToLoad.AddRange(@(
        "userAccountControl", "accountExpires"))
}

# Set search criteria
$threshold = (Get-Date).AddDays(- $days)
$criteria = New-AdmCriteria "user" {(mailboxType -ne "shared") -and (pwdLastSet -lt $threshold) -and (accountDisabled -eq $false)}
$criteria["user"].Add({(employeeType -eq "admin") -or (employeeType -eq "service") -or (employeeType -empty $True)})
$Context.DirectorySearcher.AddCriteria($criteria)

# Build the report
try
{
    $searchIterator = $Context.DirectorySearcher.ExecuteSearch()
    while ($Context.MoveNext($searchIterator))
    {
        $searchResult = $searchIterator.Current

        # Highlight users who can log in
        $itemStyle = $NULL
        if ($highlight -and
            -not $Context.IsAccountDisabled($searchResult) -and
            -not $Context.IsAccountExpired($searchResult))
        {
            # Create a style for highlighted objects
            if (-not $styleHighlighted)
            {
                $styleHighlighted = $Context.Items.CreateItemStyle($NULL, "#f5f7de",
                    "ADM_LISTITEMFONTSTYLE_REGULAR")
            }
            $itemStyle = $styleHighlighted
        }

        $Context.Items.Add($searchResult, $NULL, $itemStyle)
    }
}
finally
{
    if ($searchIterator) { $searchIterator.Dispose() }
}

Related questions

0 votes
1 answer
Report to show all modified users and the attribute in the last x days.

Hi, we currenlty have a business rule to send an email everytime the Title, Manager, Department, accountExpires, EmployeeType or FirstName attributes are ... Unit: %BusinessUnit% End Date: %accountExpires% Effective Date of Change: %adm-CustomAttributeDate2%

asked Feb 14 by KevC (60 points)
0 votes
1 answer
msLAPS-EncryptedPassword attribute not being decrypted in view

We are implementing the new version of LAPS built into Windows 10 with KB5025221. I've added the attribute to the Management Views for Computers, but the password is not being ... we have not loaded it into AD and plan to use the latest implementation of LAPS.

asked Jul 12, 2023 by jshields (20 points)
0 votes
0 answers
Checkpoint FDE not syncing with passwords reset on machines with Adaxes installed

Hi, We have noticed an issue on a number of workstations that have Adaxes installed (or had installed, we've tried uninstalling it) where that if a user changes their ... FDE is still using the old password. Have you come across anything like this before?

asked Sep 24, 2019 by SYNSOL-DAN (40 points)
0 votes
1 answer
Remove Blank option in multi-value field

Is it possible to remove the default blank option that shows up in a multi-value field? When I add two possible options for a multi-value field in the Property Pattern constraint, ... along with the other two options. Is it possible to get rid of the blank?

asked Mar 8, 2017 by sdavidson (730 points)
0 votes
1 answer
Are passwords sent in plaintext?

Wether sent via email or sms are these passwords sent in plain text? is there options on if these passwords are sent in plaintext or not?

asked Jan 25, 2022 by Keonip (160 points)
3,351 questions
3,052 answers
7,791 comments
545,086 users