Solved

View a single AD user's password expirety date

Posted on 2013-05-21
16
1,921 Views
Last Modified: 2013-05-23
Hello experts - we're testing a new password policy in AD Group Policy.  We need to have a user in a sandbox to make sure the settings are applied.  Is there a PowerShell script or some other way to show when the user's password is set to expire?

Thanks in advance.

RC
0
Comment
Question by:Levi Gwyn
  • 5
  • 4
  • 4
  • +1
16 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 39185872
Check out this PowerShell function Get-XADUserPasswordExpirationDate..
Ref : http://blogs.msdn.com/b/adpowershell/archive/2010/08/09/9970198.aspx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39185902
or a really crude way, download adfind

http://www.joeware.net/freetools/tools/adfind/

adfind -f samaccountname=username pwdlastset -tdca

That will be when the password was last set.  Then add the number of days you have defined in maximum password age.(90 days for example)

Thanks

Mike
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 39186173
VIEW ADDITIONAL INFORMAITON IN ACTIVE DIRECTORY, TO INCLUDE PASSWORD EXPIRATION DATE:

http://www.petri.co.il/view_additional_user_information_in_aduc.htm

THIS IS SIMPLE BY SIMPLY REGISTERING A .DLL IF YOU ALREADY HAVE THE RESOURCE KIT ON THE COMPUTER (WHICH MOST ALREADY HAVE).
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39186234
Are you on 2003 or 2008 R2?   You might the updated acctinfo if you go down that road.

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39187210
Our AD forest/domain functional level is 2008 R2.  Sorry - should have mentioned that in the initial post.
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39187263
Subsun - I've tried running this script and get nothing.  I'm not a PowerShell guru but is there some context under which I need to run this?  Do I need to pipe the output to a text file?  Do I need to run this on a domain controller? - I tried running it on my Windows 8 computer.  The script runs with no errors but I get no output at all.

I ran set-executionpolicy remotesigned on my computer to allow scripts and ran the PowerShell ISE as administrator and get nothing.  I also tried calling from a command prompt and same - nothing.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 39189141
I believe the acct info works for 08 R2 servers as well. Worst case scenario is the .dll doesn't exist if you try to register it for additional AD information that comes in VERY handy.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39189165
It would have issues on a 2008 R2 box, see this thread i helped with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26476848.html

On another note the info is in ADAC natively in Windows 2012 see bottom of blog below

http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx

Thanks

Mike
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 38

Expert Comment

by:ChiefIT
ID: 39189185
@Mkline:
You stated, there were some explicit edits, but you got it to work. Did you have problems afterwards with ACCTINFO2?

This really sounds like exactly what this administrator is looking for.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39189202
The script utilize Active Directory module for Windows PowerShell, also written as a function.. so you need to run it where the Active Directory module is installed. Win 2008 R2 DC should have the AD module...

Since it's a written as a function,  Simply copy paste the script content in to AD PowerShell console and press Enter key. Once it return to PS prompt run command Get-XADUserPasswordExpirationDate to get the required details..

Or load script file with cmdlet definition. You can do this by typing a Dot, a space, and then the path to the file. There has to be a space between the dot and the file name, otherwise it wont work.

1)
PS>. C:\Get-XADUserPasswordExpirationDate.ps1

2) And next try use function.
PS>Get-XADUserPasswordExpirationDate JohnDoe
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39189219
No didn't have problems afterwards.  I'm currently running a windows 8 box with ADAC so I don't use it at my current job.

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190672
Okay guys - I'm the first one in my family to walk upright and am a little dim.  I'm not really getting this to work for me.  The screen shot is from a Windows Server 2008 R2 domain controller.  I logged in as a domain admin.  What am I doing wrong?
Capture.PNG
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39190686
I think you are running the script from normal PowerShell console. If that's the case first you run the following command to import the ActiveDirectory module..

Import-Module ActiveDirectory

and then run the function..

Get-XADUserPasswordExpirationDate JohnDoe
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190703
Still a no-go.  See screen shot.
Capture.PNG
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 39190723
:-) now you didn't run the function script..

Run Import-Module ActiveDirectory
Copy paste the script content in to AD PowerShell console and press Enter key.
Once it return to PS prompt run following command to get the required details..
  Get-XADUserPasswordExpirationDate JohnDoe

Or simply use this modified script which will do all above tasks for you. When you run this script it will prompt you to enter the username. You just enter username and then press enter key, it will give you the result..

Import-Module ActiveDirectory
function Get-XADUserPasswordExpirationDate() {

    Param ([Parameter(Mandatory=$true,  Position=0,  ValueFromPipeline=$true, HelpMessage="Identity of the Account")]

    [Object] $accountIdentity)

    PROCESS {

        $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet

        if ($accountObj.PasswordExpired) {

            echo ("Password of account: " + $accountObj.Name + " already expired!")

        } else { 

            if ($accountObj.PasswordNeverExpires) {

                echo ("Password of account: " + $accountObj.Name + " is set to never expires!")

            } else {

                $passwordSetDate = $accountObj.PasswordLastSet

                if ($passwordSetDate -eq $null) {

                    echo ("Password of account: " + $accountObj.Name + " has never been set!")

                }  else {

                    $maxPasswordAgeTimeSpan = $null

                    $dfl = (get-addomain).DomainMode

                    if ($dfl -ge 3) { 

                        ## Greater than Windows2008 domain functional level

                        $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj

                        if ($accountFGPP -ne $null) {

                            $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge

                        } else {

                            $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                        }

                    } else {

                        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                    }

                    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {

                        echo ("MaxPasswordAge is not set for the domain or is set to zero!")

                    } else {

                        echo ("Password of account: " + $accountObj.Name + " expires on: " + ($passwordSetDate + $maxPasswordAgeTimeSpan))

                    }

                }

            }

        }

    }

}
Get-XADUserPasswordExpirationDate $(Read-Host "Input the UserName")

Open in new window

0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190759
Subsun - thanks for helping a dimwit.  That did the trick.

Here is the way I did it:

1. . C:\temp\PasswordExpiretyDate.ps1 (I copied the script contents into this file)
2. Get-XADUserPasswordExpirationDate <user_name>

Thanks very much for your help.
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now