One-Liner: Get a List of AD Users Password Expiry Dates


All good things come to an end.

Rivers run their course, curtains fall and… passwords expire. We have epilogues, codas and an Active Directory constructed attribute named msDS-UserPasswordExpiryTimeComputed.

 How can we use that attribute to get a list of enabled Active Directory accounts and their password expiry times?

 

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |

Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}

  

 

 

Here’s some sample output:

 

The end.

Comments (35)

  1. Anonymous says:

    Thanks for creating the PowerShell script, But I tried this Lepide User Password Expiration Reminder Tool (
    http://www.lepide.com/user-password-expiration-reminder/ ) that provides a way of making the account adhere without causing the account to expire immediately and automate password management
    without help desk calls and get the complete status reports in HTML , PDF and in CSV files format on users whose active directory password is soon to expire .

  2. Anonymous says:

    Nice one…Thanks for Sharing…IMHO This should be a default in the UI

  3. Anonymous says:

    Add "-Server YOURDOMAINNAME" as an additional parameter of the Get-ADUser cmdlet.

    The end?

  4. Great stuff says:

    Thanks

  5. Tony G says:

    This returns a date/time with a year of 1600. Why not just detect the max password age and add it to PasswordLastSet? Like so:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", `
    @{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}

  6. Bryan says:

    Tony your syntax doesn’t work. Should be:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}

    After running that, the ones that showed a year of 1600 will now just not show any date. I think what you’re picking up there are shared mailboxes and/or replicated contacts.

  7. mike says:

    but how can i use this in magento

  8. Martin says:

    Thanks,

  9. Dan says:

    Bryan, with your alterations, the script works great! How might I be able to alter the script to only display accounts whose passwords will expire within 7 days?

  10. Jessica says:

    Here’s a script for only selecting accounts that will expire in 7 days (should be a quick edit to get within 7 days instead):

    #get max password age policy
    $maxPwdAge=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    #expiring in 7 days
    $7days=(get-date).AddDays(7-$maxPwdAge).ToShortDateString()

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0} –Properties * | where {($_.PasswordLastSet).ToShortDateString() -eq $7days} | select *

  11. Alessandro says:

    Users with Expiring date set to 1600 are those disabled

  12. Dr.Jones says:

    You could also make it the way i’ve done. I added it to my powershell profile, using function get-passexpiry ($user). This way you only need to ask it for one particular user’s password expiry information. a-la
    #———
    function get-passexpiry ($user)
    {
    <#
    .SYNOPSIS
    Use to get information about a target user.
    .DESCRIPTION
    Lists the users user ID to check you have the right user. Also lists whether the password is expired right now (Boolean value), when the password was last set, and if the password is set to never expire (Boolean Value). Password expiry date is not a retrievable
    value from Active Directory. Requires the NAME of the user, in speech marks.
    .EXAMPLE
    get-passexpiry "ann onymous"
    #>
    write-host "Connecting to Active Directory."
    $maxPasswordAge = (get-addefaultdomainpasswordpolicy).MaxPasswordAge.Days
    try
    {
    $usercheck = get-aduser -filter ‘name -eq $user’
    if($usercheck -eq $null)
    {
    write-warning -message "Specified user does not exist."
    }
    else
    {
    get-aduser -filter ‘name -eq $user’ -properties Passwordexpired,passwordlastset,passwordneverexpires | select samaccountname,Passwordexpired,passwordlastset,passwordneverexpires,@{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}} | format-list
    }
    }
    catch
    {
    $errormessage = $_.exception.message
    if ($errormessage -like ‘*is not defined*’) {write-warning "D’oh. You forgot to specify a user."}
    }
    }
    #———

    This function shows you a true/false reading of if their password has expired, and whether their password is set to never expire. it also shows the date/time they last changed their password, and confirms the UPN of the user, to make sure you’re looking at
    the right user (in the case of similar names). It also warns if you’ve left the name field blank, or if that particular name doesn’t exist in the system. Thanks to you guys for showing me how to find the password expiry date! A very useful addition to my script.

  13. iliyas ali says:

    Karnga bada

  14. Martin Horwood says:

    Great script, added the searchbase filters and exported to HTML for OU specific reports

  15. Debabrata says:

    I want to run the PasswordExpiryTimeComputed on a perticular domain.

  16. Bgone says:

    I want to run the PasswordExpiryTimeComputed on a particular domain. Does anyone could help with full script

  17. Minister says:

    @Bgone That’s a matter of context. You need to run the script on the domain you want the information from.

  18. Adam says:

    This is great, thanks!!!

  19. cari says:

    and where do I use this script? in the ad module for windows powershell? sorry not knowledgble

  20. daro says:

    I’ve wrote an article on this that does not require use of powershell. Take a loog at:
    http://www.dolejarz.com/how-to-find-password-age-in-active-directory/

  21. Ekramy Elnaggar says:

    the users with password expiration date like “1/1/1601 1:00:00 AM” , such users are the users that never set their passwords , you can check this from the attribute "pwdLastSet" , also you will find that the "user must change password at next logon" checkbox
    is checked.

  22. ayaaz says:

    -Bryan
    Could you please advise what n= and e= in your script represent and explain what they are e.g. variables
    tried figuring it out and looking it up but im having no luck

  23. Kermit T. Frog says:

    I consider myself an advanced Excel user, but for some strange reason, I cannot get the data_time stuff to be anything but text in Excel. Anyone that can help me get past this mental block gets a lollipop.

  24. Baggio says:

    Could someone help me with the following. I need a Powershell script that set: Password must change @ next logon if the password expires in 1 day. Thanks in advice!

  25. Mark says:

    Great work, where did you find? "msDS-UserPasswordExpiryTimeComputed"

  26. @Mark – it’s a constructed attribute:

    Get-ADObject -SearchBase "CN=Schema,CN=Configuration,dc=fabrikam,dc=COM" -ldapfilter ‘(systemFlags:1.2.840.113556.1.4.803:=4)’ -Properties systemFlags

  27. Rune says:

    Great post Ian!

    Came across this as I was looking for a more verbose way to alert the users with expiring passwords (the Win7+ popup on the taskbar can easily be overlooked).
    I prefer your "msDS-UserPasswordExpiryTimeComputed" over the other scripted suggestions in here. Why? It’s the only way to tell the real expiry time when you have Fine Grained password policies in place.
    Thanks for sharing!

  28. Mohammd asif nagori says:

    Mohammd asif nagori

  29. chris says:

    hi i was wondering if anyone knew a command that i could look for accounts with passwords 91 days old and disable them.

    thank you very much 🙂

  30. Jason P says:

    Nominating this for ‘Longest ‘One-Liner’ Award’.
    Very nice. Thank you!

  31. New User says:

    Can someone please supply the script to find and delete all users whose account been expired for 30 days.Thanks

  32. frank says:

    in the AD you have "Saved queries" here you can make a querie 90 days not signed in, this list you can select to "disable"

  33. Charles says:

    You can also use it to send notifications to users before thier passwords expire via email/SMS, which is superuseful as users are aware that they need to change password:

    http://www.adaxes.com/active-directory_scheduled-tasks.htm#password_expiration

  34. Vlad says:

    Thank you Ian.