I need to get the last password change for a group of account in an Active Directory security group, and I feel like this is something PowerShell should be good at.
Right now, I'm already stuck at how to read the pwdLastSet attribute from the AD account I'm looking at. Even running something simple like this:
[adsi] "LDAP://cn=user1,ou=Staff,ou=User Accounts,dc=ramalamadingdong,dc=net" | Format-List *
gives results for pwdLastSet that appear like this:
pwdLastSet : {System.__ComObject}
I feel like I'm go about this the wrong way, so what's the best way to query and then format the output (the value is based on the Windows Epoch and not very human readable) of the pwdLastSet attribute?
Best Answer
You can also do this without a snap-in. I tried this and it worked:
I also get a System.__ComObject for pwdLastSet if I have the user object set like this:
$user = [adsi] "LDAP://cn=user1,ou=Staff,ou=User Accounts,dc=ramalamadingdong,dc=net"
There should be a way to use [System.__ComObject].InvokeMember() and reflection to get that pwdLastSet value from the $user object, but I haven't been able to get it right. I never did figure it out, so I used the above example and moved on.
If you're going to be doing a lot of work with AD (or Exchange or SQL Server) you might want to get the snapin for it and use that.