Friday, 13 March 2015

Powershell - Get AD Users Password Expiry Date

We can find and list the password expiry date of AD user accounts from Active Directory using the computed schema attribute msDS-UserPasswordExpiryTimeComputed. In PowerShell, we get a list AD Users properties by using the cmdlet Get-ADUser. We can use SQL like filter and LDAP filter with Get-ADUser cmdlet to get only particular set of users.

Summary:

Get Password Expiry Date of all Enabled AD Users

The following powershell script find all the enabled Active Directory users whose PasswordNeverExpires flag value is equal to False and list the attribute value samAccountName and Password Expire Date. The Active Directory computed attribute msDS-UserPasswordExpiryTimeComputed is timeStamp attribute and its value will be stored as integer, so we are using expression to convert timestamp value into normal date time.
Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
 –Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; `
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT
You can add any extra attribute that supported in Active Directory in property list. If you want to add the attributes mail and pwdLastset with this script, you can simply add these attributes as comma separated values.
Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","mail","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName","mail",@{Name="Password Last Set";`
Expression={[datetime]::FromFileTime($_."pwdLastSet")}}, @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT
Instead of normal filter, you can also use LDAP filter with Get-ADUser powershell cmdlet to filter Active Directory users.
Import-Module ActiveDirectory
Get-ADUser -LDAPFilter '(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536))'`
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT
Here, the userAccountControl flag value 2 indicates disabled account status and the flag 65536 indicates PasswordNeverExpires.

Powershell - Get AD Users Password Expiry Date

Get AD Users Password Expiration Report from Specific OU

We can set target OU scope by using the parameter SearchBase in powershell's Get-ADUser cmdlet. This following command select and list all the enabled AD users password expiration report from the Organization Unit 'TestOU'.
Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=TestOU,DC=TestDomain,DC=Local"`
 -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

Export AD Users Password Expiration Report to CSV with Powershell

We can export powershell output into CSV file using Export-CSV cmdlet. The following powershell command export selected properties and password expiry date of all the enabled Active Directory users to CSV file.
Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","mail","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName","mail",@{Name="Password Last Set";`
Expression={[datetime]::FromFileTime($_."pwdLastSet")}}, @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | 
 Export-CSV "C:\\PasswordExpirationReport.csv" -NoTypeInformation -Encoding UTF8

CSV Output of AD Users Password Expiration Date Report:

Export AD Users Password Expiration Report to CSV with Powershell

Advertisements
Advertisements

5 comments:

  1. Hi!
    Thanks for your scripts!!!
    I'm running WS2012 R2 and I'm trying one of your scripts but returns for all users Password Last Set and Password Expiry Date = 01/01/1601 1:00:00
    This is a problem clock or what?

    Thanks

    ReplyDelete
    Replies
    1. Hi Jordi, the date value '01/01/1601' is minimum date value.. it means the Password Last Set value is 'Never' or 'Not Set' and it is equal to empty datetime

      Delete
    2. What does the empty datetime actually mean? That the password has expired?

      Delete
    3. No joeshuer, empty datetime means either user never set his/her password or no password expiration policy applied. you can also checkout this post https://community.spiceworks.com/topic/415014-blank-password-expiration-date

      Delete
  2. Hi Jordi,

    You have to run the powershell window as an administrator.

    Thanks

    Alex

    ReplyDelete