Summary
- Get Password Expiry Date of Enabled AD Users
- Get Password Expiration Report from Specific OU
- Export AD Users Password Expiration Report to CSV
Get Password Expiry Date of all Enabled AD Users
The following powershell script find all the enabled Active Directory users whose PasswordNeverExpires flag value is equal to False and list the attribute value samAccountName and Password Expire Date. The Active Directory computed attribute msDS-UserPasswordExpiryTimeComputed is timeStamp attribute and its value will be stored as integer, so we are using expression to convert timestamp value into normal date time.
Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; `
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT
You can add any extra attribute that supported in Active Directory in property list. If you want to add the attributes mail and pwdLastset with this script, you can simply add these attributes as comma separated values.
Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","mail","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName","mail",@{Name="Password Last Set";`
Expression={[datetime]::FromFileTime($_."pwdLastSet")}}, @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT
Instead of normal filter, you can also use LDAP filter with Get-ADUser powershell cmdlet to filter Active Directory users.
Import-Module ActiveDirectory
Get-ADUser -LDAPFilter '(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(!userAccountControl:1.2.840.113556.1.4.803:=65536))'`
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT
Here, the userAccountControl flag value 2 indicates disabled account status and the flag 65536 indicates PasswordNeverExpires.
Get AD Users Password Expiration Report from Specific OU
We can set target OU scope by using the parameter SearchBase in powershell‘s Get-ADUser cmdlet. This following command select and list all the enabled AD users password expiration report from the Organization Unit ‘TestOU‘.
Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=TestOU,DC=TestDomain,DC=Local"`
-filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName", @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | FT
Export AD Users Password Expiration Report to CSV with Powershell
We can export powershell output into CSV file using Export-CSV cmdlet. The following powershell command export selected properties and password expiry date of all the enabled Active Directory users to CSV file.
Import-Module ActiveDirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
–Properties "SamAccountName","mail","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "SamAccountName","mail",@{Name="Password Last Set";`
Expression={[datetime]::FromFileTime($_."pwdLastSet")}}, @{Name="Password Expiry Date";`
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Export-CSV "C:\PasswordExpirationReport.csv" -NoTypeInformation -Encoding UTF8
CSV Output of AD Users Password Expiration Date Report:
Hi Jordi,
You have to run the powershell window as an administrator.
Thanks
Alex
Thanks Alex! Absolute Legend.
Thank you so much for your support! it was saved your time very much!
Thank you a gain.