Rule description
This rule displays Active directory user accounts whose password has already expired or soon to expire.
When to use this rule
Use this rule to get the list of users whose password has already expired or soon to expire. You can specify the number of days until the password is expired.
The default expiration date is 42 days; however, it can be set to any value from 0 to 999. A value of zero specifies that passwords do not expire. Although it may be tempting to set no expiration date, users should change passwords regularly to ensure the network's security. Where security is a concern, good values are 30, 60, or 90 days. Where security is less critical, good values are 120, 150, or 180 days. For more information, see Configuring Password Policies article.
Rule settings
Query Section
Setting name | Description |
---|---|
Limit scope to this domain or OU |
This setting defines the search query scope. To improve query performance, limit the scope to specific OU. Important: To test rule configuration, limit the rule scope to an OU that contains test accounts or objects.
|
Query criteria |
Query criteria are sent with the query and may improve query performance. Tip: For different samples on the criteria builder, see KB20180410-1.
|
Days until expiry |
Specify the number of days until the password is expired. Set to 0 to include users with less than 1 day remaining until expiry and users with expired passwords.
Note: If you want to exclude users who have less than a day before their password is expired, use this filter in Filter query results:
{$_.PasswordExpired -eq "true"}
|
Other Query Settings |
|
Properties to display |
To display additional properties for each object found by the query, add those properties to the list. |
System properties |
List of properties required for this rule to be executed correctly. |
Filter query results |
To hide unwanted data based on criteria, not supported by Active Directory query, set the filtering conditions here. Example: filter by the found object Distinguished Name. Tip: For optimal performance, use Query criteria above to filter objects whenever possible.
|
Sort by |
Sort result object list. |
Initialization script |
Usually, rules use query criteria to limit the query search scope. It improves the performance of the executed rule. Due to PowerShell limitations, it is not possible to use calculated expressions in query criteria. That is the point where the initialization script can help. You can initialize a global variable in this setting and then use it in query criteria. Important: To use a variable, declared in the initialization script, in the query scope, it must be global: $global:<variable name>.
Example: Update AD users, created in the last ten days.
{$global:DatePeriod = (Get-Date).AddDays(-10)}
|
Output Section
This section defines the output format of this rule.
To get more information about this section, please see the Output section article.
Enforce/Schedule section
This section defines the schedule for how often to run the rule.
To get more information about this section, please see the Enforce/Schedule section article.
Change History
Version | Notes |
---|---|
8.2.0 |
The rule is added to the product. |
Comments
0 comments
Please sign in to leave a comment.