Use this powershell script to display the current bad password count for all Active Directory user accounts:

# Import active directory modules
import-module activedirectory;

# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local";

# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;

# Loop through all users found
foreach ($user in $users) {
$badpwdcount = 0;

# Loop through each domain controller
foreach ($dc in $dcs) {
$newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;

# Increment bad password count
$badpwdcount = $badpwdcount + $newuser.badpwdcount;
}

# Highlight account if bad password count is greater than 0
if ($badpwdcount -gt 0) {
$outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
}
else {
$outline = $user.name + " - Badpwdcount: " + $badpwdcount;
}

write-host $outline;
}

 

Leave a Reply

Your email address will not be published. Required fields are marked *