Return
-
Title
PowerShell cmdlet "get-qaduser -PasswordNotChangedFor" does not return Users who have never changed their password -
Description
When running the PowerShell cmdlet Get-QADUser -PasswordNotChangedFor in an Active Roles PowerShell script, User accounts which are not required to change their password are not returned. -
Cause
This is expected functionality. -
Resolution
Retrieving User accounts that are not required to change the password can be done by querying the edsaPasswordNeverExpires Boolean attribute. If it is set to TRUE, then the account is not required to change its associated password.
If LDAPFilter is being used, it is not possible to use any attributes which start with edsa, as they are computed. Instead, search for the Microsoft binary value of (userAccountControl:1.2.840.113556.1.4.803:=65536) in order to return accounts which are not required to change their password.
-
Change Request
TF0455211