Musings on the splendour of PowerShell One-Liner: Get a List of AD Users Password Expiry Dates - PoSh Chap - Site Home - TechNet Blogs

PoSh Chap

Musings on the splendour of PowerShell

One-Liner: Get a List of AD Users Password Expiry Dates

One-Liner: Get a List of AD Users Password Expiry Dates

  • Comments 23
  • Likes

All good things come to an end.

Rivers run their course, curtains fall and… passwords expire. We have epilogues, codas and an Active Directory attribute named msDS-UserPasswordExpiryTimeComputed.

 How can we use that attribute to get a list of enabled Active Directory accounts and their password expiry times?


Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed"


Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}




Here’s some sample output:


The end.

  • Thanks

  • Nice one...Thanks for Sharing...IMHO This should be a default in the UI

  • This returns a date/time with a year of 1600. Why not just detect the max password age and add it to PasswordLastSet? Like so:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", `

  • Tony your syntax doesn't work. Should be:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}

    After running that, the ones that showed a year of 1600 will now just not show any date. I think what you're picking up there are shared mailboxes and/or replicated contacts.

  • but how can i use this in magento

  • Thanks,

  • Bryan, with your alterations, the script works great! How might I be able to alter the script to only display accounts whose passwords will expire within 7 days?

  • Here's a script for only selecting accounts that will expire in 7 days (should be a quick edit to get within 7 days instead):

    #get max password age policy

    #expiring in 7 days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0} –Properties * | where {($_.PasswordLastSet).ToShortDateString() -eq $7days} | select *

  • Users with Expiring date set to 1600 are those disabled

  • You could also make it the way i've done. I added it to my powershell profile, using function get-passexpiry ($user). This way you only need to ask it for one particular user's password expiry information. a-la
    function get-passexpiry ($user)
    Use to get information about a target user.
    Lists the users user ID to check you have the right user. Also lists whether the password is expired right now (Boolean value), when the password was last set, and if the password is set to never expire (Boolean Value). Password expiry date is not a retrievable value from Active Directory. Requires the NAME of the user, in speech marks.
    get-passexpiry "ann onymous"
    write-host "Connecting to Active Directory."
    $maxPasswordAge = (get-addefaultdomainpasswordpolicy).MaxPasswordAge.Days
    $usercheck = get-aduser -filter 'name -eq $user'
    if($usercheck -eq $null)
    write-warning -message "Specified user does not exist."
    get-aduser -filter 'name -eq $user' -properties Passwordexpired,passwordlastset,passwordneverexpires | select samaccountname,Passwordexpired,passwordlastset,passwordneverexpires,@{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}} | format-list
    $errormessage = $_.exception.message
    if ($errormessage -like '*is not defined*') {write-warning "D'oh. You forgot to specify a user."}

    This function shows you a true/false reading of if their password has expired, and whether their password is set to never expire. it also shows the date/time they last changed their password, and confirms the UPN of the user, to make sure you're looking at the right user (in the case of similar names). It also warns if you've left the name field blank, or if that particular name doesn't exist in the system. Thanks to you guys for showing me how to find the password expiry date! A very useful addition to my script.

  • Karnga bada

  • Great script, added the searchbase filters and exported to HTML for OU specific reports

  • I want to run the PasswordExpiryTimeComputed on a perticular domain.

  • Add "-Server YOURDOMAINNAME" as an additional parameter of the Get-ADUser cmdlet.

    The end?

  • I want to run the PasswordExpiryTimeComputed on a particular domain. Does anyone could help with full script

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment