To totally unlock this section you need to Log-in
Login
In this post we will look how to retrieve password information, in an Active Directory domain, to find out when a user last changed their password and if it is set to never expire.
As a quick recap, to view the available options with Get-ADUser type, use help Get-ADUser in a Powershell session:
Next we want to find out what the name of the properties of a user account we want to look at are called. So we will take a look at an individual user account in its entirety.
Get-ADUser -identity username -properties *
So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table. Type:
get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
So we can now see when a user last changed their password and if it is set to never expire. To make things easier to find in a big environment you may want to sort the list by name. Type:
get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires
And finally, lets export the list to CSV so we can work on it in Excel. In this example we substitute, format table (ft) for select-object. Type:
Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info-20131119.csv
Get The Expiry Date and Time
Until now, we have been able only to see if the password of a specified user "Never Expires" or the last time the password has been set.
How can we use those attributes to get a list of enabled Active Directory accounts and their password expiry times? To do this we can use the attribute named msDS-UserPasswordExpiryTimeComputed:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Here’s some sample output: