Freigeben über

One-Liner: Get a List of AD Users Password Expiry Dates

  • Artikel

All good things come to an end.

Rivers run their course, curtains fall and… passwords expire. We have epilogues, codas and an Active Directory constructed attribute named msDS-UserPasswordExpiryTimeComputed.

 How can we use that attribute to get a list of enabled Active Directory accounts and their password expiry times?

 

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |

Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

  

 

 

Here’s some sample output:

 

The end.

Comments

  • Anonymous
    January 01, 2003
    Thanks for creating the PowerShell script, But I tried this Lepide User Password Expiration Reminder Tool (http://www.lepide.com/user-password-expiration-reminder/ ) that provides a way of making the account adhere without causing the account to expire immediately and automate password management without help desk calls and get the complete status reports in HTML , PDF and in CSV files format on users whose active directory password is soon to expire .
  • Anonymous
    January 01, 2003
    Nice one...Thanks for Sharing...IMHO This should be a default in the UI
  • Anonymous
    January 01, 2003
    Add "-Server YOURDOMAINNAME" as an additional parameter of the Get-ADUser cmdlet.

    The end?
  • Anonymous
    February 28, 2014
    Thanks
  • Anonymous
    November 13, 2014
    This returns a date/time with a year of 1600. Why not just detect the max password age and add it to PasswordLastSet? Like so:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", `
    @{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}
  • Anonymous
    November 18, 2014
    Tony your syntax doesn't work. Should be:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}

    After running that, the ones that showed a year of 1600 will now just not show any date. I think what you're picking up there are shared mailboxes and/or replicated contacts.
  • Anonymous
    January 06, 2015
    but how can i use this in magento
  • Anonymous
    January 08, 2015
    Thanks,
  • Anonymous
    January 08, 2015
    Bryan, with your alterations, the script works great! How might I be able to alter the script to only display accounts whose passwords will expire within 7 days?
  • Anonymous
    January 29, 2015
    Here's a script for only selecting accounts that will expire in 7 days (should be a quick edit to get within 7 days instead):

    #get max password age policy
    $maxPwdAge=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    #expiring in 7 days
    $7days=(get-date).AddDays(7-$maxPwdAge).ToShortDateString()

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0} –Properties * | where {($_.PasswordLastSet).ToShortDateString() -eq $7days} | select *
  • Anonymous
    February 24, 2015
    Users with Expiring date set to 1600 are those disabled
  • Anonymous
    February 27, 2015
    You could also make it the way i've done. I added it to my powershell profile, using function get-passexpiry ($user). This way you only need to ask it for one particular user's password expiry information. a-la
    #---------
    function get-passexpiry ($user)
    {
    <#
    .SYNOPSIS
    Use to get information about a target user.
    .DESCRIPTION
    Lists the users user ID to check you have the right user. Also lists whether the password is expired right now (Boolean value), when the password was last set, and if the password is set to never expire (Boolean Value). Password expiry date is not a retrievable value from Active Directory. Requires the NAME of the user, in speech marks.
    .EXAMPLE
    get-passexpiry "ann onymous"
    #>
    write-host "Connecting to Active Directory."
    $maxPasswordAge = (get-addefaultdomainpasswordpolicy).MaxPasswordAge.Days
    try
    {
    $usercheck = get-aduser -filter 'name -eq $user'
    if($usercheck -eq $null)
    {
    write-warning -message "Specified user does not exist."
    }
    else
    {
    get-aduser -filter 'name -eq $user' -properties Passwordexpired,passwordlastset,passwordneverexpires | select samaccountname,Passwordexpired,passwordlastset,passwordneverexpires,@{l="ExpiryDate";e={$.PasswordLastSet.AddDays($maxPasswordAge)}} | format-list
    }
    }
    catch
    {
    $errormessage = $    .exception.message
    if ($errormessage -like 'is not defined') {write-warning "D'oh. You forgot to specify a user."}
    }
    }
    #---------

    This function shows you a true/false reading of if their password has expired, and whether their password is set to never expire. it also shows the date/time they last changed their password, and confirms the UPN of the user, to make sure you're looking at the right user (in the case of similar names). It also warns if you've left the name field blank, or if that particular name doesn't exist in the system. Thanks to you guys for showing me how to find the password expiry date! A very useful addition to my script.
  • Anonymous
    March 02, 2015
    Karnga bada
  • Anonymous
    March 05, 2015
    Great script, added the searchbase filters and exported to HTML for OU specific reports
  • Anonymous
    March 06, 2015
    I want to run the PasswordExpiryTimeComputed on a perticular domain.
  • Anonymous
    March 31, 2015
    I want to run the PasswordExpiryTimeComputed on a particular domain. Does anyone could help with full script
  • Anonymous
    April 21, 2015
    @Bgone That's a matter of context. You need to run the script on the domain you want the information from.
  • Anonymous
    April 23, 2015
    try this tool,
    http://www.adsysnet.com/downloads/ASNADInactiveAccountTracker.msi
  • Anonymous
    April 24, 2015
    This is great, thanks!!!
  • Anonymous
    April 30, 2015
    and where do I use this script? in the ad module for windows powershell? sorry not knowledgble
  • Anonymous
    May 12, 2015
    I've wrote an article on this that does not require use of powershell. Take a loog at:
    http://www.dolejarz.com/how-to-find-password-age-in-active-directory/
  • Anonymous
    June 03, 2015
    the users with password expiration date like “1/1/1601 1:00:00 AM” , such users are the users that never set their passwords , you can check this from the attribute "pwdLastSet" , also you will find that the "user must change password at next logon" checkbox is checked.
  • Anonymous
    July 02, 2015
    -Bryan
    Could you please advise what n= and e= in your script represent and explain what they are e.g. variables
    tried figuring it out and looking it up but im having no luck
  • Anonymous
    July 16, 2015
    The comment has been removed
  • Anonymous
    July 30, 2015
    Could someone help me with the following. I need a Powershell script that set: Password must change @ next logon if the password expires in 1 day. Thanks in advice!
  • Anonymous
    September 09, 2015
    Great work, where did you find? "msDS-UserPasswordExpiryTimeComputed"
  • Anonymous
    September 18, 2015
    @Mark - it's a constructed attribute:

    Get-ADObject -SearchBase "CN=Schema,CN=Configuration,dc=fabrikam,dc=COM" -ldapfilter '(systemFlags:1.2.840.113556.1.4.803:=4)' -Properties systemFlags
  • Anonymous
    October 19, 2015
    Great post Ian!

    Came across this as I was looking for a more verbose way to alert the users with expiring passwords (the Win7+ popup on the taskbar can easily be overlooked).
    I prefer your "msDS-UserPasswordExpiryTimeComputed" over the other scripted suggestions in here. Why? It's the only way to tell the real expiry time when you have Fine Grained password policies in place.
    Thanks for sharing!
  • Anonymous
    October 27, 2015
    Mohammd asif nagori
  • Anonymous
    October 28, 2015
    hi i was wondering if anyone knew a command that i could look for accounts with passwords 91 days old and disable them.
    thank you very much :)
  • Anonymous
    November 04, 2015
    Nominating this for 'Longest 'One-Liner' Award'.
    Very nice. Thank you!
  • Anonymous
    December 20, 2015
    Can someone please supply the script to find and delete all users whose account been expired for 30 days.Thanks
  • Anonymous
    December 31, 2015
    in the AD you have "Saved queries" here you can make a querie 90 days not signed in, this list you can select to "disable"
  • Anonymous
    February 18, 2016
    You can also use it to send notifications to users before thier passwords expire via email/SMS, which is superuseful as users are aware that they need to change password:http://www.adaxes.com/active-directory_scheduled-tasks.htm#password_expiration
  • Anonymous
    June 07, 2016
    Thank you Ian.
  • Anonymous
    August 07, 2016
    Perfect blog - short, sharp and humorous - well done.
  • Anonymous
    August 23, 2016
    one of the BEST one-liner I have ever stumbled upon. Excellent work and thank you !!!
  • Anonymous
    September 08, 2016
    Thanks! It worked great.
  • Anonymous
    September 24, 2016
    If you need this info for only one user, isn't it easier with net user
  • Anonymous
    November 10, 2016
    So what if you only wanted people whose account is going to expire in X days?
  • Anonymous
    November 23, 2016
    On my Windows Server 2012 it doesn't work. For most users it shows 1/1/1601 (there's only one user whose real expiration date is displayed, don't know why that is).
  • Anonymous
    November 23, 2016
    Sorry, I got a little bit ahead of myself. It does work after running powershell with admin rights :)Not a bad script. Thank you.
  • Anonymous
    April 19, 2017
    Is the result of the script you wrote and "net user account | findstr expire" match the result of this command?
  • Anonymous
    June 02, 2017
    Thanks Ian! Your one liner was usefull for me today :-)
  • Anonymous
    September 08, 2017
    The comment has been removed
  • Anonymous
    November 26, 2017
    how can a password I have been using become out of date?
  • Anonymous
    November 28, 2017
    Awesome.. It works
  • Anonymous
    July 10, 2018
    I am trying to run something similar against an AD group. This is the script I am using. The users are displayed but not the ExipryDate. Any help would be greatly appreciated.$group1 = Get-ADGroupMember “Service_Accounts_180_day”foreach ($user in $group1) {Get-ADUser -Filter {Name -eq $user.name} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select Name,@{Name="ExpiryDate";Expression={[dateime]::FromFileTime("$_.msDS-UserPasswordExpiryTimeComputed")}}}