Retrieve “Password Last Set” and Expiration Date (PowerShell)


To totally unlock this section you need to Log-in


Login

In this post we will look how to retrieve password information, in an Active Directory domain, to find out when a user last changed their password and if it is set to never expire.

As a quick recap, to view the available options with Get-ADUser type, use help Get-ADUser in a Powershell session:

Retrieve "Password Last Set" and Expiration Date (PowerShell)

Next we want to find out what the name of the properties of a user account we want to look at are called. So we will take a look at an individual user account in its entirety.

Get-ADUser -identity username -properties *

Retrieve "Password Last Set" and Expiration Date (PowerShell)

So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table. Type:

get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

Retrieve "Password Last Set" and Expiration Date (PowerShell)

So we can now see when a user last changed their password and if it is set to never expire. To make things easier to find in a big environment you may want to sort the list by name. Type:

get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires

Retrieve "Password Last Set" and Expiration Date (PowerShell)

And finally, lets export the list to CSV so we can work on it in Excel. In this example we substitute, format table (ft) for select-object. Type:

Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info-20131119.csv

Retrieve "Password Last Set" and Expiration Date (PowerShell)

Get The Expiry Date and Time

Until now, we have been able only to see if the password of a specified user "Never Expires" or the last time the password has been set.

How can we use those attributes to get a list of enabled Active Directory accounts and their password expiry times? To do this we can use the attribute named msDS-UserPasswordExpiryTimeComputed:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Here’s some sample output:

Retrieve "Password Last Set" and Expiration Date (PowerShell)