ARTools

1.0

Public/Get-StaleLocalUser.ps1

                                #requires -Version 2

function Get-StaleLocalUser

{

    <#

            .Synopsis

            Displays local user accounts whose passwords have not been changed in a given number of days.

            .DESCRIPTION

            The Get-StaleLocalUser function uses Powershell remoting to display local user accounts on remote computers whose passwords have not been changed in a given number of days.

            By default this function queries all domain-joined computers for any local user accounts that are enabled and whose password age has exceeded the maximum password age of the current domain.

            .EXAMPLE

            PS C:\> Get-StaleLocalUser

            This command queries all domain-joined computers for any local user accounts that are enabled and whose password age has exceeded the maximum password age of the current domain using the current user's credentials. 

            .EXAMPLE

            PS C:\> Get-StaleLocalUser -Credential (Get-Credential)

            This command queries all domain-joined computers for any local user accounts that are enabled and whose password age has exceeded the maximum password age of the current domain using the specified credentials. 

            .EXAMPLE

            PS C:\> Get-StaleLocalUser -IncludeDisabled

            This command queries all domain-joined computers for any local user accounts (both enabled and disabled) whose password age has exceeded the maximum password age of the current domain using the current user's credentials. 

            .EXAMPLE

            PS C:\> Get-StaleLocalUser -IncludeDisabled | Export-csv -Path c:\LocalUsers.csv

            This command queries all domain-joined computers for any local user accounts (both enabled and disabled) whose password age has exceeded the maximum password age of the current domain using the current user's credentials. The results are then exported to a CSV file named LocalUsers.csv at the root of the C drive.

            .EXAMPLE

            PS C:\>Set-Item -Path wsman:\localhost\Client\TrustedHosts -Value 172.16.0.0

            In this example a non-domain-joined computer is queried for any local user accounts (both enabled and disabled) whose password age has exceeded the maximum password age of the current domain. First, in order to use an IP adress in the value of the ComputerName parameter, the IP address of the remote computer must be included in the WinRM TrustedHosts list on the local computer. To do so, the first command is run. Please note, this command assumes the WinRM TrustedHosts list on the local computer has not been previously set or is empty.

            Next, the non-domain-joined computer can now be queried. The credentials of an administrator account on the remote computer must be provided as shown in the command below.

            PS C:\>Get-StaleLocalUser -IncludeDisabled -ComputerName 172.16.0.0 -Credential Administrator

            Finally, unless otherwise needed, the IP address of the remote computer can now be removed from the WinRM TrustedHosts list on the local computer. To do so, the below command is run. Please note, the above command assumes the WinRM TrustedHosts list on the local computer has not been previously set or is empty.

            PS C:\>Clear-Item -Path wsman:\localhost\Client\TrustedHosts

            .NOTES

            The Get-StaleLocalUser function requires administrator rights on the remote computer(s) to be queried.

            Powershell remoting must be enabled on the remote computer to properly query local user accounts. 

            If Powershell remoting is not enabled on a remote computer it can be enabled by either

            - Running Enable-PSRemoting locally or 

            - By running Enable-RemotePSRemoting and specifying the name of the remote computer.

            .PARAMETER ComputerName

            Specifies the computers on which the command runs. The default is all domain-joined computers.

            Type the NETBIOS name, IP address, or fully-qualified domain name of one or more computers in a comma-separated list. To specify the local computer, type the computer name, "localhost", or a dot (.).

            To use an IP address in the value of the ComputerName parameter, the command must include the Credential parameter. Also, the computer must be configured for HTTPS transport or the IP address of the remote computer must be included in the WinRM TrustedHosts list on the local computer. For instructions for adding a computer name to the TrustedHosts list, see "How to Add  a Computer to the Trusted Host List" in about_Remote_Troubleshooting.

            .PARAMETER Credential

            Specifies a user account that has permission to perform this action. The default is the current user.

            Type a user name, such as "User01" or "Domain01\User01", or enter a variable that contains a PSCredential object, such as one generated by the Get-Credential cmdlet. When you type a user name, you will be prompted for a password.

            .PARAMETER DaysOld

            Specifies the maximum password age in number of days. The default is the maximum password age of the current domain.

            .PARAMETER IncludeDisabled

            Specifies the function include disabled local user accounts in the results.

    #>

    [cmdletbinding()]

    Param(

        [Parameter(Mandatory = $False,Position = 0,ValueFromPipelineByPropertyName = $True)]

        [Alias('Name')]

        [string[]]$ComputerName = (Get-ADComputer -Filter *).Name,

        [Parameter(Mandatory = $False)]

        [pscredential]$Credential = $null,

        [Parameter(Mandatory = $False)]

        [int]$DaysOld = (Get-ADDefaultDomainPasswordPolicy -Identity $env:USERDNSDOMAIN).MaxPasswordAge.Days,

        [Parameter(Mandatory = $False)]

        [switch]$IncludeDisabled

    )

    Begin{}

    Process{

        $ScriptBlock = {

            [int]$DaysOld = $Using:DaysOld

            [bool]$IncludeDisabled = $Using:IncludeDisabled

            $WarningPreference = $Using:WarningPreference

            Add-Type -AssemblyName System.DirectoryServices.AccountManagement

            $PrincipalContext = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList ([System.DirectoryServices.AccountManagement.ContextType]::Machine, $env:COMPUTERNAME)

            $UserPrincipal = New-Object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList ($PrincipalContext)

            $Searcher = New-Object -TypeName System.DirectoryServices.AccountManagement.PrincipalSearcher

            $Searcher.QueryFilter = $UserPrincipal

            $Searcher.FindAll() |

            Where-Object -FilterScript {

                $_.LastPasswordSet -le (Get-Date).AddDays($(-$DaysOld))

            } |

            Select-Object -Property Name, @{

                n = 'Username'

                e = {

                    $_.samaccountname

                }

            }, Enabled, Description, LastPasswordSet, PasswordNeverExpires, PasswordNotRequired |

            ForEach-Object -Process {

                $Object  = $_

                If($IncludeDisabled)

                {

                    $Object

                }

                Else

                {

                    $Object |

                    Where-Object -FilterScript {

                        $_.Enabled -eq $True

                    }

                }

            }

        }

        $InvokeArgs = @{

            ComputerName = $ComputerName

        }

        If($null -ne $Credential)

        {

            $InvokeArgs.Credential = $Credential

        }

        $InvokeArgs.ComputerName = Test-PSRemoting @InvokeArgs -WarningAction $WarningPreference

        If($null -eq $InvokeArgs.ComputerName)

        {

            Break

        }

        $InvokeArgs.ScriptBlock = $ScriptBlock

        Invoke-Command @InvokeArgs | Select-Object -Property * -ExcludeProperty RunspaceID

    }

    End{}

}