Get an AD Object without RSAT and fast

In this article we’ll see the function I’ve built to get an AD Object without RSAT and fast. I’ve been thinking for a while to write a new function, mainly because I wanted to pass multiple SamAccountNames without having to write a filter. However I recently had to go through a ton of users and fast, this is when I though that I could finally write my custom function, which leverages┬áSystem.DirectoryServices.DirectorySearcher, so it doesn’t even require RSAT.

There are a lot of guides are out there how to use it, this article is meant to share with you the function I built around that.

The things I like the most about this:

  • It’s fast. The more objects you’re querying, the faster it’ll be compared to Get-ADObject/Get-ADUsers/Get-ADGroup.
  • You can use it to query any kind of Object.
  • You can pass multiple SamAccountNames (Sam1, Sam2, SamN), SIDs or DistinguishedNames.
    • You can also choose to pass a partial parameter with a wildcard, for example: MyUserSam*
  • You can also choose to write a plain LDAP Query instead of the SAM/SID/DN.
  • Filter down for an account status with -AccountStatus. By default you’ll get both Enabled and Disabled.


Read More

Reset Password Expiration

Resetting the password expiration in Active Directory might come in handy when a user’s password has expired and don’t have the chance to change it yet (perhaps due to network restrictions).
The Help Desk team, rather than resetting the user’s password, can reset the password expiration time without compromising security by knowing the temporary password.
Obviously, changing password is itself a security issue, so this should not be used just because you’re too bored to change your own account’s password. ­čÖé
Note that what you’re going to perform is not resetting the password expiration value but you’re resetting the last password set date.

There are three ways of doing this, via Active Directory Users and Computers, via ADSI Edit and via Powershell.

Active Directory Users and Computers (ADSI is very similar once you open the Object’s properties)

  1. Open Active Directory Users and Computers
  2. Click on View and select Advanced Features
    • active-directory-users-and-computers_advanced-features
  3. Now open up the object for which you want to reset the password expiration and go to the Attribute Editor‘s tab.
  4. Click once on the Attribute column, this will sort it by name.
  5. Scroll down to pwdLastSet.
    • active-directory-users-and-computers_attribute-editor-pwdlastset
  6. Click Edit, delete the current entry, type 0 (zero) and click Ok.
    • active-directory-users-and-computers_pwdlastset-0
  7. Click Ok to save the changes.
  8. Open the object again, repeat the steps above to reach the pwdLastSet attribute and, this time, assign -1 and click Ok and Ok again to save the changes. This will reset the password last set to “now”.
    • active-directory-users-and-computers_pwdlastset_-1


This one’s my favourite because it’s quick and easy. Run Powershell from a machine where Active Directory’s powershell module is installed (a domain controller will do). Make sure you have admin rights on the target user (or make sure you run powershell as an administrator).
Finally, run the following commands (they’re all commented to make it easier for you to understand the steps).


Read More