Finding Users That Have Not Answered Their Directory Password Security Questions

We are frequently asked if there is a way to find users that have not yet selected / answered their Directory Password security questions. This is fairly simple to do. We store the security questions and answers in the postalAddress attribute. This is an attribute that is in the schema but that Microsoft does not use. The questions are encrypted and the answers are hashed. So in most cases, this field is blank if it is not being used.

There are a lot of ways to list users who do or do not have data in this attribute. Using the Windows Active Directory PowerShell cmdlets is a simple way as long as you have installed the Active Directory tools on your server.

1. Ensure that you are logged on as a domain user that is a member local Administrators group
2. Open a command prompt as an Administrator (Run As Administrator)
3. Load the Active Directory PowerShell extensions and use Get-ADUser
       import-module ActiveDirectory 
       get-aduser -Filter {postalAddress -notlike "*"} -Properties * | Format-Table Displayname,department,mail

The Get-ADUser command will list all users whose postalAddress attribute is empty. Alternately, a slight change to the query will allow you to list all users who *have* answered their security questions by using -like instead of -notlike.

Last Review: 14 April 2018