Musings on the splendour of PowerShell One-Liner: Get a List of AD Users Password Expiry Dates - PoSh Chap - Site Home - TechNet Blogs

PoSh Chap

Musings on the splendour of PowerShell

One-Liner: Get a List of AD Users Password Expiry Dates

One-Liner: Get a List of AD Users Password Expiry Dates

  • Comments 11
  • Likes

All good things come to an end.

Rivers run their course, curtains fall and… passwords expire. We have epilogues, codas and an Active Directory attribute named msDS-UserPasswordExpiryTimeComputed.

 How can we use that attribute to get a list of enabled Active Directory accounts and their password expiry times?

 

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed"

|

Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

  

 

 

Here’s some sample output:

 

The end.

Comments
  • Thanks

  • Nice one...Thanks for Sharing...IMHO This should be a default in the UI

  • This returns a date/time with a year of 1600. Why not just detect the max password age and add it to PasswordLastSet? Like so:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", `
    @{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}

  • Tony your syntax doesn't work. Should be:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}

    After running that, the ones that showed a year of 1600 will now just not show any date. I think what you're picking up there are shared mailboxes and/or replicated contacts.

  • Thanks for creating the PowerShell script, But I tried this Lepide User Password Expiration Reminder Tool ( http://www.lepide.com/user-password-expiration-reminder/ ) that provides a way of making the account adhere without causing the account to expire immediately and automate password management without help desk calls and get the complete status reports in HTML , PDF and in CSV files format on users whose active directory password is soon to expire .

  • but how can i use this in magento

  • Thanks,

  • Bryan, with your alterations, the script works great! How might I be able to alter the script to only display accounts whose passwords will expire within 7 days?

  • Here's a script for only selecting accounts that will expire in 7 days (should be a quick edit to get within 7 days instead):

    #get max password age policy
    $maxPwdAge=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    #expiring in 7 days
    $7days=(get-date).AddDays(7-$maxPwdAge).ToShortDateString()

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0} –Properties * | where {($_.PasswordLastSet).ToShortDateString() -eq $7days} | select *

  • Users with Expiring date set to 1600 are those disabled

  • You could also make it the way i've done. I added it to my powershell profile, using function get-passexpiry ($user). This way you only need to ask it for one particular user's password expiry information. a-la
    #---------
    function get-passexpiry ($user)
    {
    <#
    .SYNOPSIS
    Use to get information about a target user.
    .DESCRIPTION
    Lists the users user ID to check you have the right user. Also lists whether the password is expired right now (Boolean value), when the password was last set, and if the password is set to never expire (Boolean Value). Password expiry date is not a retrievable value from Active Directory. Requires the NAME of the user, in speech marks.
    .EXAMPLE
    get-passexpiry "ann onymous"
    #>
    write-host "Connecting to Active Directory."
    $maxPasswordAge = (get-addefaultdomainpasswordpolicy).MaxPasswordAge.Days
    try
    {
    $usercheck = get-aduser -filter 'name -eq $user'
    if($usercheck -eq $null)
    {
    write-warning -message "Specified user does not exist."
    }
    else
    {
    get-aduser -filter 'name -eq $user' -properties Passwordexpired,passwordlastset,passwordneverexpires | select samaccountname,Passwordexpired,passwordlastset,passwordneverexpires,@{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}} | format-list
    }
    }
    catch
    {
    $errormessage = $_.exception.message
    if ($errormessage -like '*is not defined*') {write-warning "D'oh. You forgot to specify a user."}
    }
    }
    #---------

    This function shows you a true/false reading of if their password has expired, and whether their password is set to never expire. it also shows the date/time they last changed their password, and confirms the UPN of the user, to make sure you're looking at the right user (in the case of similar names). It also warns if you've left the name field blank, or if that particular name doesn't exist in the system. Thanks to you guys for showing me how to find the password expiry date! A very useful addition to my script.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment