Powershell – Get AD Users Password Expiry Date

We can find and list the password expiry date of AD user accounts from Active Directory using the computed schema attribute msDS-UserPasswordExpiryTimeComputed. In PowerShell, we get a list AD Users properties by using the cmdlet Get-ADUser. We can use SQL like filter and LDAP filter with Get-ADUser cmdlet to get only particular set of users.

Summary

Get Password Expiry Date of all Enabled AD Users

The following powershell script find all the enabled Active Directory users whose PasswordNeverExpires flag value is equal to False and list the attribute value samAccountName and Password Expire Date. The Active Directory computed attribute msDS-UserPasswordExpiryTimeComputed is timeStamp attribute and its value will be stored as integer, so we are using expression to convert timestamp value into normal date time.

Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
 –Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; `
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

You can add any extra attribute that supported in Active Directory in property list. If you want to add the attributes mail and pwdLastset with this script, you can simply add these attributes as comma separated values.

Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","mail","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName","mail",@{Name="Password Last Set";`
Expression={[datetime]::FromFileTime($_."pwdLastSet")}}, @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

Instead of normal filter, you can also use LDAP filter with Get-ADUser powershell cmdlet to filter Active Directory users.

Import-Module ActiveDirectory
Get-ADUser -LDAPFilter '(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536))'`
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

Here, the userAccountControl flag value 2 indicates disabled account status and the flag 65536 indicates PasswordNeverExpires.

Powershell - Get AD Users Password Expiry Date

Get AD Users Password Expiration Report from Specific OU

We can set target OU scope by using the parameter SearchBase in powershell‘s Get-ADUser cmdlet. This following command select and list all the enabled AD users password expiration report from the Organization Unit ‘TestOU‘.

Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=TestOU,DC=TestDomain,DC=Local"`
 -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT

Export AD Users Password Expiration Report to CSV with Powershell

We can export powershell output into CSV file using Export-CSV cmdlet. The following powershell command export selected properties and password expiry date of all the enabled Active Directory users to CSV file.

Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","mail","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName","mail",@{Name="Password Last Set";`
Expression={[datetime]::FromFileTime($_."pwdLastSet")}}, @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | 
 Export-CSV "C:\PasswordExpirationReport.csv" -NoTypeInformation -Encoding UTF8

CSV Output of AD Users Password Expiration Date Report:

Export AD Users Password Expiration Report to CSV with Powershell

Advertisement

6 thoughts on “Powershell – Get AD Users Password Expiry Date”

Leave a Comment