(2014-08-08) Interesting Attribute: Determining Effective PSO (msDS-ResultantPSO)
Posted by Jorge on 2014-08-08
Have you ever wanted to get a simple list of all user accounts and see which policy with password settings applies to a user account and what the settings are? Well, you can use the PowerShell script below if you want.
$userInfo = @() Import-Module ActiveDirectory Get-ADuser -Filter * | %{ $sAMAccountName = $null $sAMAccountName = $_.sAMAccountName $effectivePSO = $null $effectivePSO = (Get-ADuser $sAMAccountName -Properties "msDS-ResultantPSO")."msDS-ResultantPSO" If ($effectivePSO -ne $null){ $objPSO = Get-ADObject -Identity $effectivePSO -Properties * $effectivePSOName = $objPSO.Name $effectivePSOMinPwdAge = ($objPSO."msDS-MinimumPasswordAge")/ -864000000000 $effectivePSOMaxPwdAge = ($objPSO."msDS-MaximumPasswordAge")/ -864000000000 $effectivePSOMinPwdLength = $objPSO."msDS-MinimumPasswordLength" $effectivePSOComplexEnabled = $objPSO."msDS-PasswordComplexityEnabled" $effectivePSOPwdHistoryLength = $objPSO."msDS-PasswordHistoryLength" $effectivePSOPwdRevEncrEnabled = $objPSO."msDS-PasswordReversibleEncryptionEnabled" $effectivePSOLockoutDuration = ($objPSO."msDS-LockoutDuration")/ -600000000 $effectivePSOLockoutObservationWindow = ($objPSO."msDS-LockoutObservationWindow")/ -600000000 $effectivePSOLockoutThreshold = $objPSO."msDS-LockoutThreshold" } Else { $objPSO = Get-ADObject -Identity (Get-ADRootDSE).defaultNamingContext -Properties minPwdAge,maxPwdAge,minPwdLength,pwdProperties,pwdHistoryLength,lockoutDuration,lockOutObservationWindow,lockoutThreshold $effectivePSOName = "Default Domain GPO" $effectivePSOMinPwdAge = (($objPSO.minPwdAge)/ -10000000) / 86400 $effectivePSOMaxPwdAge = (($objPSO.maxPwdAge)/ -10000000) / 86400 $effectivePSOMinPwdLength = $objPSO.minPwdLength If ($objPSO.pwdProperties -band 1) {$effectivePSOComplexEnabled = "True"} Else {$effectivePSOComplexEnabled= "False"} $effectivePSOPwdHistoryLength = $objPSO.pwdHistoryLength If ($objPSO.pwdProperties -band 16) {$effectivePSOPwdRevEncrEnabled = "True"} Else {$effectivePSOPwdRevEncrEnabled = "False"} $effectivePSOLockoutDuration = ($objPSO.lockoutDuration)/ -600000000 $effectivePSOLockoutObservationWindow = ($objPSO.lockOutObservationWindow)/ -600000000 $effectivePSOLockoutThreshold = $objPSO.lockoutThreshold } $userInfoEntry = "" | Select "Logon Account","Effective PSO","Min/Max Days","Len","Complex","Hist","Rev Encr","Lock Dur (m)","Lock Window (m)","Lock Thresh" $userInfoEntry."Logon Account" = $sAMAccountName $userInfoEntry."Effective PSO" = $effectivePSOName $userInfoEntry."Min/Max Days" = $([string]$effectivePSOMinPwdAge + "/" + [string]$effectivePSOMaxPwdAge) $userInfoEntry."Len" = $effectivePSOMinPwdLength $userInfoEntry."Complex" = $effectivePSOComplexEnabled $userInfoEntry."Hist" = $effectivePSOPwdHistoryLength $userInfoEntry."Rev Encr" = $effectivePSOPwdRevEncrEnabled $userInfoEntry."Lock Dur (m)" = $effectivePSOLockoutDuration $userInfoEntry."Lock Window (m)" = $effectivePSOLockoutObservationWindow $userInfoEntry."Lock Thresh" = $effectivePSOLockoutThreshold $userInfo += $userInfoEntry } Clear-Host $userInfo | FT -AutoSize
–
Oh, you wanted to export that info to a CSV instead of the screen output? Replace the last line "$userInfo | FT -AutoSize" with "$userInfo | Export-Csv <Path to CSV> -NoTypeInformation"
Figure 1: Output Of PowerShell Script
–
MSDN: ms-DS-Resultant-PSO attribute
MSDN: 3.1.1.4.5.36 msDS-ResultantPSO
MSDN: 2.420 Attribute msDS-ResultantPSO
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 
Leave a comment