在Powershell中加载活动目录模块的备用方法

Question

I work as an IT in a corporate. And users go on leave and forget to change their password, we have a password expiry of 90 days and due to our company policy the user cannot change the password while on leave.

I created a power shell script that imports active directory module and checks their password last set date, I converted the powershell script to exe.

And when the users ran the exe file from their PC it shows up an error, unable to load active directory module.

Now I checked online and the forums suggest to install Remote Server Admin Tools on the PC and turn on AD DS and AD LDS tools from windows feature. Both require administrative rights and we cannot do that on every single standard user's PC.

Is there any clever way to run this file, without installing RSAT on every single PC? Is there any way I can modify the script so that it runs on all standard users PC without administrative account of any kind?Thanks

Answer 1

You do not need RSAT. ADSI will do what you need:

$Days = 20
$User = [ADSI]"WinNT://$env:USERDNSDOMAIN/$env:USERNAME,user"
$Flags = $User.UserFlags.psbase.Value
# Check if password does not expire bit is set.
If ($Flags -band 65536)
{
  "Password does not expire"
}
Else
{
  # Convert from seconds to days.
  $AgeDays = $User.PasswordAge.psbase.Value / 86400
  $MaxAge = $User.MaxPasswordAge.psbase.Value / 86400
  If ($AgeDays -gt $MaxAge)
  {
    "Password Expired"
  }
  Else
  {
    If (($AgeDays + $Days) -gt $MaxAge)
    {
      "Password will expire within $Days days"
    }
    Else
    {
      "Password is not about to expire"
    }
  }
}

Answer 2

I will do something like this

save this script as passwordenquiry.vsb and place it in shared folder and push a desktop shortcut through GPO linking to it as PasswordEnquiry.vbs so when they click on it they will get notice when their password is going to expire and tell them change it before leaving on the script message.

Dim oDomain
Dim oUser
Dim maxPwdAge
Dim numDays
Dim warningDays
warningDays = 11

Set LoginInfo = CreateObject("ADSystemInfo") 
Set objUser = GetObject("LDAP://" & LoginInfo.UserName & "") 
strDomainDN = UCase(LoginInfo.DomainDNSName) 
strUserDN = LoginInfo.UserName

Set oDomain = GetObject("LDAP://" & strDomainDN)
Set maxPwdAge = oDomain.Get("maxPwdAge")
'========================================
' Calculate the number of days that are
' held in this value.
'========================================
numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _
maxPwdAge.LowPart) / CCur(-864000000000)
'WScript.Echo "Maximum Password Age: " & numDays

'========================================
' Determine the last time that the user
' changed his or her password.
'========================================
Set oUser = GetObject("LDAP://" & strUserDN)
'========================================
' Add the number of days to the last time
' the password was set.
'========================================
whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged)
fromDate = Date
daysLeft = DateDiff("d",fromDate,whenPasswordExpires)

'WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged
if (daysLeft < warningDays) and (daysLeft > -1) then
Msgbox "Password Expires in " & daysLeft & " day(s)" & " at " & whenPasswordExpires & chr(13) & chr(13) & "Change it before you go for leave" & chr(13) & "Press CTRL+ALT+DEL and select the 'Change a password' option", 0, "PASSWORD EXPIRATION WARNING!"
End if
'========================================
' Clean up.
'========================================
Set oUser = Nothing
Set maxPwdAge = Nothing
Set oDomain = Nothing