0

I'm trying to get the values from "badpwdcount" attribute. Problem is in order to get accurate value I should query to PDC ( Primary Domain Controller ). At the moment, I'm using powershell to solve with LDAP search. The question : Is there any chance to get the value from PDC by using LDAP search?

For example:

$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.SearchRoot ="LDAP://$Domain

This will search for the current domain. What should I do to get values from PDC?

Ender
  • 835
  • 1
  • 12
  • 23
  • 1
    Why do you believe you need to query the PDC emulator? AD does multi-master replication, so you should be able to query the attribute from any DC. – Ansgar Wiechers Jul 03 '17 at 08:14
  • As I understood that each dc maintains his own bad password count and sends the info to the PDC operations master. The PDC operations master will maintain a total count and lock an account if bad passwords are registered on multiple dc's. So if I just query the domain even with subtree as my initial scope. I'm pretty sure that I won't get exact value. I would like to get your opinions on this as well. Please share your opinions :) @AnsgarWiechers – Ender Jul 03 '17 at 08:18
  • 1
    You said you want to query the `maxPwdAge` attribute. That has nothing to do with bad password count. – Ansgar Wiechers Jul 03 '17 at 08:29
  • If you have solved the question yourself, better add an answer of your own, otherwise the question looks like it's not answered. This is bad for the site. – Vesper Jul 03 '17 at 09:20
  • @Vesper thanks for reminding, I added.. I will verify asap – Ender Jul 03 '17 at 10:45

2 Answers2

1

Each Domain Controller keeps the server with PDC Emulator FSMO role updated with its count (so that the account can be locked out if the maximum number is exceeded), the total is not easily tracked, so we have to query each domain controller separately for that number.

# Import active directory modules
import-module activedirectory;

# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local";

# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;

# Loop through all users found
foreach ($user in $users) {
    $badpwdcount = 0;

    # Loop through each domain controller
    foreach ($dc in $dcs) {
        $newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;

        # Increment bad password count
        $badpwdcount = $badpwdcount + $newuser.badpwdcount;
    }

    # Highlight account if bad password count is greater than 0
    if ($badpwdcount -gt 0) {
        $outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
    }
    else {
        $outline = $user.name + " - Badpwdcount: " + $badpwdcount;
    }

    write-host $outline;
}
jwilleke
  • 10,467
  • 1
  • 30
  • 51
  • tks for answering. But as I know that each dc maintains his own bad password count and sends the info to the PDC operations master. According to your code, it will find all badpwdcount values in all DC plus PDC ( PDC is also DC ) which means the total result will be duplicated. Because it's already centralized in PDC after each bad password entered. It would be better if it just looks for a value in each DC except PDC then summarize them. – Ender Jul 04 '17 at 05:44
  • you are right : **"While each Domain Controller keeps the server with PDC Emulator FSMO role updated with its count (so that the account can be locked out if the maximum number is exceeded)"** – Ender Jul 04 '17 at 05:52
0
$Domain = $Domain.PdcRoleOwner
Ender
  • 835
  • 1
  • 12
  • 23