This PowerShell script checks the status of a specified user account on multiple domain controllers, displays user information, and handles password resets if necessary.
- A Windows machine with PowerShell 5.1 or later installed.
- The
ActiveDirectoryPowerShell module installed on the machine running the script. - A file named "servers.txt" in the same directory as the script, containing a list of domain controllers to check, one per line (optional).
The ActiveDirectory PowerShell module is included with the Windows Server operating system and can be installed as a feature on Windows Server machines. On non-server Windows machines, the ActiveDirectory PowerShell module can be installed using one of the following methods:
-
Open a PowerShell console as an administrator.
-
Run the following command to install the
RSAT-AD-PowerShellfeature:Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
-
Verify that the
ActiveDirectorymodule is installed by running the following command:Get-Module -ListAvailable -Name ActiveDirectory
This should display information about the
ActiveDirectorymodule if it is installed correctly.
- Open the Settings app and navigate to "Apps & features".
- Click on "Optional features" and then click on "Add a feature".
- Scroll down until you find "RSAT: Active Directory Domain Services and Lightweight Directory Tools" and click on it to select it.
- Click on "Install" to install the feature.
After installing the feature, verify that the ActiveDirectory module is installed by following step 3 from Method 1 above.
- Make sure the
ActiveDirectoryPowerShell module is installed on the machine running the script. - (Optional) Create a file named "servers.txt" in the same directory as the script and list the domain controllers to check, one per line. If this file is not present, the script will fetch the domain controllers dynamically.
- Run the script and follow the prompts.
- Import ActiveDirectory Module: The script begins by importing the
ActiveDirectorymodule. - Check if Machine is a Domain Controller: Uses the
Is-DomainControllerfunction to determine if the machine running the script is a domain controller. - Get Domain Controller List: The
Get-DomainControllersfunction retrieves the list of domain controllers either fromservers.txtor dynamically. - Get Credentials: If the script is not running on a domain controller, it will prompt for credentials.
- User Interaction: Prompts for a username to check and retrieves user information using the
Get-UserInfofunction. - Display User Information: The
Display-UserInfofunction displays detailed user information. - Password Reset: If the user's password is expired, the script will reset the password to 'Password1' and require a change at the next logon.
- Lockout Status: Displays whether the account is locked out on any domain controllers.
PS C:\> .\ADUserChecker.ps1
Enter credentials
Enter the username to check: jdoe
Checking user on domain controller: DC1
Account is enabled
Password age: 45 days
Password age is over 30 days, resetting password to 'Password1'
Account is not locked out on domain controller: DC1
Summary of information checked for user: jdoe
DomainController Enabled AccountExpirationDate PasswordExpired PasswordAgeDays PasswordNeverExpires LockedOut LastLogonDate
---------------- ------- -------------------- -------------- --------------- ------------------- -------- -------------
DC1 Yes N/A No 45 No No 10/01/2022
Script run by: admin on 10/30/2022 16:13:49
Check another user? (y/n): n