Merge pull request #84 from akunzai/pwd-last-set

Audit password expires accounts
akunzai · Mar 6, 2023 · d46e958 · d46e958
2 parents 0ea11e9 + 29277d1
commit d46e958
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 5 deletions.
diff --git a/README.md b/README.md
@@ -50,7 +50,7 @@ git pull
 Sample output
 
 ````markdown
-# Windows Secure Auditor: 1.0.1
+# Windows Secure Auditor: 1.1.0
 
 ## System Information
 
@@ -139,6 +139,7 @@ Poll Interval: 6 (64s)
 ## Password Expires
 
 - [ ] WDeployAdmin: password never expires
+- [ ] tom: last set at 2022-06-03T21:10:00+08:00 > 90 days
 
 ## Event Logs
 

diff --git a/README.zh-TW.md b/README.zh-TW.md
@@ -50,7 +50,7 @@ git pull
 範例輸出
 
 ````markdown
-# Windows Secure Auditor: 1.0.1
+# Windows Secure Auditor: 1.1.0
 
 ## 系統資訊
 
@@ -139,6 +139,7 @@ git pull
 ## 密碼逾期
 
 - [ ] WDeployAdmin: 密碼永不逾期
+- [ ] tom: 上次變更於 2022-06-03T21:10:00+08:00 > 90 天
 
 ## 事件記錄
 

diff --git a/SecureAuditor.psd1 b/SecureAuditor.psd1
@@ -6,7 +6,7 @@
     # RootModule = ''
 
     # Version number of this module.
-    ModuleVersion          = '1.0.1'
+    ModuleVersion          = '1.1.0'
 
     # Supported PSEditions
     # CompatiblePSEditions = @()

diff --git a/rules/LocalUser/PasswordExpires.psm1 b/rules/LocalUser/PasswordExpires.psm1
@@ -1,6 +1,8 @@
 $i18n = Data {
     # culture="en-US"
     ConvertFrom-StringData @'
+    Days = days
+    LastSetAt = last set at
     PasswordExpires = Password Expires
     PasswordNeverExpires = password never expires
 '@
@@ -17,16 +19,24 @@ function Test($config) {
         return
     }
     # https://learn.microsoft.com/powershell/module/microsoft.powershell.localaccounts/get-localuser
-    $users = Get-LocalUser | Where-Object { $_.Enabled -and $null -eq $_.PasswordExpires }
+    $users = Get-LocalUser | Where-Object { $_.Enabled }
     $exclude = $config.PasswordExpires.Exclude;
     if (-not [string]::IsNullOrWhiteSpace($exclude)) {
         $users = $users | Where-Object { $_.Name -notmatch $exclude }
     }
+    $maximumPasswordAge = [int]$config.PasswordPolicy.MaximumPasswordAge;
+    $now = Get-Date;
+    $users = $users | Where-Object { $null -eq $_.PasswordExpires -or ($now - $_.PasswordLastSet).TotalDays -gt $maximumPasswordAge }
     if ($users.Count -eq 0) {
         return;
     }
     Write-Output "`n## $($i18n.PasswordExpires)`n"
     foreach ($user in $users) {
-        Write-CheckList $false "$($user.Name): $($i18n.PasswordNeverExpires)"
+        if ($null -eq $user.PasswordExpires) {
+            Write-CheckList $false "$($user.Name): $($i18n.PasswordNeverExpires)"
+        }
+        else {
+            Write-CheckList $false ("$($user.Name): $($i18n.LastSetAt) {0:yyyy-MM-dd'T'HH:mm:ssK} > $($maximumPasswordAge) $($i18n.Days)" -f $user.PasswordLastSet)
+        }
     }
 }
diff --git a/rules/LocalUser/zh-TW/PasswordExpires.psd1 b/rules/LocalUser/zh-TW/PasswordExpires.psd1
@@ -1,5 +1,7 @@
 # culture="zh-TW"
 ConvertFrom-StringData -StringData @'
+Days = 天
+LastSetAt = 上次變更於
 PasswordExpires = 密碼逾期
 PasswordNeverExpires = 密碼永不逾期
 '@