Retrieve badpwdcount with LDAP on PDC

Question

I'm trying to get the values from "badpwdcount" attribute. Problem is in order to get accurate value I should query to PDC ( Primary Domain Controller ). At the moment, I'm using powershell to solve with LDAP search. The question : Is there any chance to get the value from PDC by using LDAP search?

For example:

$D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
$Domain = [ADSI]"LDAP://$D"
$ADSearch = New-Object System.DirectoryServices.DirectorySearcher
$ADSearch.SearchRoot ="LDAP://$Domain

This will search for the current domain. What should I do to get values from PDC?

Answer 1

Each Domain Controller keeps the server with PDC Emulator FSMO role updated with its count (so that the account can be locked out if the maximum number is exceeded), the total is not easily tracked, so we have to query each domain controller separately for that number.

# Import active directory modules
import-module activedirectory;

# Get all domain controllers
$dcs = get-adcomputer -filter * -searchbase "ou=domain controllers,dc=kamal,dc=local";

# Get all users - change "-filter {enabled -eq $true}" to a username to get just one user
$users = get-aduser -filter {enabled -eq $true} | sort name;

# Loop through all users found
foreach ($user in $users) {
    $badpwdcount = 0;

    # Loop through each domain controller
    foreach ($dc in $dcs) {
        $newuser = get-aduser $user.samaccountname -server $dc.name -properties badpwdcount;

        # Increment bad password count
        $badpwdcount = $badpwdcount + $newuser.badpwdcount;
    }

    # Highlight account if bad password count is greater than 0
    if ($badpwdcount -gt 0) {
        $outline = "******* " + $user.name + " - Badpwdcount: " + $badpwdcount + " *******";
    }
    else {
        $outline = $user.name + " - Badpwdcount: " + $badpwdcount;
    }

    write-host $outline;
}

Answer 2

$Domain = $Domain.PdcRoleOwner