Determining which users have answered their security questions

When a user answer’s their Directory Password security questions using Directory Update, the questions and answers are stored in an attribute of the user’s Active Directory account. By default, we store the encrypted questions and hashed answers in the postalAddress attribute. If you were to use a utility such as ADSIEdit.MSC to view the contents of this attribute, it will contain unreadable characters.


However, the useful tip is this: If there is data in this attribute, then the user has probably answered their security questions. And you can use a simple PowerShell script to produce a report of who has (or has not) answered their security questions.

Let’s start with a basic script to tell you who has *not* answered their security questions. In order to run this script, you will need to have the Windows 2012 or later Active Directory administration tools installed on your server or workstation. So, if you do not have a folder called C:\temp, then create one.

Next, open up Notepad or Notepad++ and create a new file in the c:\temp folder called Get-DirPasswordUsers.ps1. This script will look at *all* users and create a CSV file of users whose postalAddress field is empty. And, here is the script:

import-module activedirectory
$users = Get-ADUser -filter {postaladdress -notlike "*"} -properties *
$users | select displayname,department,officephone,manager,mail | export-csv c:\temp\DirectoryPasswordNotRegistered.CSV -notypeinformation

This script will create a CSV file in the C:\temp folder of all users who have not answered their security questions. You will probably also get some junk since this query will include service and administrator accounts. And, of course, you might want to change the export file name on the last line.

Want to look at the opposite set of information? Who *has* answered their security questions? Simple, change the query parameter -notlike to just -like to see all users that do have have something in the postalAddress attribute. Like this:

{postaladdress -notlike "*"}