Hi, this is Jeff Hicks. Today I want to demonstrate how to get a handle on user passwords. Policing your user passwords is a great way to head-off problems before they become too serious. Let’s take a look at the new Active Directory Administrative Center that you can use to manage your Domain Controller running Server 2008 R2 or an older Domain Controller running the Active Directory Web Service which you can download from Microsoft.
I am right now on a Windows 7 client that has the remote server administration tools installed and they are configured to manage Active Directory. I can go to Administrative Tools and grab this Active Directory Administrative Center. This actually runs on top of PowerShell. I get this nice administrative interface that can be used to replace Active Directory Users and Computers.
I am going to come down here to the global search section and I am going to search my entire domain and I am going to add some criteria. I only want to search for users that are enabled, I am going to ignore disabled accounts and I am curious to know which user accounts have passwords that maybe do not have an expiration date. I am going to add those criteria and then I am going to modify them, change this from disable to enable and I want “Users whose password has no expiration date”. I can click Search and in a moment there are in fact the user accounts that have no expiration date and there may be some I might want to modify. You can double-click an entry and up will come a section where you can modify or edit that user. I am not going to make any changes there.
Let me show you another handy way to police your passwords. I am going to keep the enabled criteria. I am going to delete this criterion. I am going to add a criterion that says here “Users with a password expiring in a given number of days”. What this will show me – I am going to put in seven – I want to find out what passwords will expire in the next 7 days. This will be very handy information to have if I come in Monday morning and I can create a list of users that I need to make sure they get their passwords changed before they run into problems. I am going to click Search, and there is in my case a list of users who need to have their passwords changed because they will expire in the next 7 days.
I can also, because this is running on PowerShell, use PowerShell directly. I have a script which you be able to download from the site, that will do the same thing. I am going to run the script and have it create a table and then save that result to a text file because the administrative center does not really have a way to export or print data. I am just going to use PowerShell to that for me. I can run that, I get a little message saying it is finding users with the passwords set between the dates you see there, and it is finished. I can take a look at the text file, and now I can print this off if I wanted to, and hand it off to a technician or another administrator to track down those people and help make sure their passwords get changed.
I hope you found this useful, keeping track of user passwords can keep you out of trouble and make everyone’s life a whole lot better. Thank you very much.