?
Solved

View a single AD user's password expirety date

Posted on 2013-05-21
16
Medium Priority
?
2,035 Views
Last Modified: 2013-05-23
Hello experts - we're testing a new password policy in AD Group Policy.  We need to have a user in a sandbox to make sure the settings are applied.  Is there a PowerShell script or some other way to show when the user's password is set to expire?

Thanks in advance.

RC
0
Comment
Question by:Levi Gwyn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +1
16 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 39185872
Check out this PowerShell function Get-XADUserPasswordExpirationDate..
Ref : http://blogs.msdn.com/b/adpowershell/archive/2010/08/09/9970198.aspx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39185902
or a really crude way, download adfind

http://www.joeware.net/freetools/tools/adfind/

adfind -f samaccountname=username pwdlastset -tdca

That will be when the password was last set.  Then add the number of days you have defined in maximum password age.(90 days for example)

Thanks

Mike
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 39186173
VIEW ADDITIONAL INFORMAITON IN ACTIVE DIRECTORY, TO INCLUDE PASSWORD EXPIRATION DATE:

http://www.petri.co.il/view_additional_user_information_in_aduc.htm

THIS IS SIMPLE BY SIMPLY REGISTERING A .DLL IF YOU ALREADY HAVE THE RESOURCE KIT ON THE COMPUTER (WHICH MOST ALREADY HAVE).
0
Bringing Advanced Authentication to the SMB Market

WatchGuard announces the acquisition of advanced authentication provider, Datablink, with one mission – to bring secure authentication to SMB, mid-market, and distributed enterprises with a cloud-based solution, ideal for resale via their established channel & MSSP community.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 39186234
Are you on 2003 or 2008 R2?   You might the updated acctinfo if you go down that road.

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39187210
Our AD forest/domain functional level is 2008 R2.  Sorry - should have mentioned that in the initial post.
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39187263
Subsun - I've tried running this script and get nothing.  I'm not a PowerShell guru but is there some context under which I need to run this?  Do I need to pipe the output to a text file?  Do I need to run this on a domain controller? - I tried running it on my Windows 8 computer.  The script runs with no errors but I get no output at all.

I ran set-executionpolicy remotesigned on my computer to allow scripts and ran the PowerShell ISE as administrator and get nothing.  I also tried calling from a command prompt and same - nothing.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 39189141
I believe the acct info works for 08 R2 servers as well. Worst case scenario is the .dll doesn't exist if you try to register it for additional AD information that comes in VERY handy.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39189165
It would have issues on a 2008 R2 box, see this thread i helped with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26476848.html

On another note the info is in ADAC natively in Windows 2012 see bottom of blog below

http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx

Thanks

Mike
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 39189185
@Mkline:
You stated, there were some explicit edits, but you got it to work. Did you have problems afterwards with ACCTINFO2?

This really sounds like exactly what this administrator is looking for.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39189202
The script utilize Active Directory module for Windows PowerShell, also written as a function.. so you need to run it where the Active Directory module is installed. Win 2008 R2 DC should have the AD module...

Since it's a written as a function,  Simply copy paste the script content in to AD PowerShell console and press Enter key. Once it return to PS prompt run command Get-XADUserPasswordExpirationDate to get the required details..

Or load script file with cmdlet definition. You can do this by typing a Dot, a space, and then the path to the file. There has to be a space between the dot and the file name, otherwise it wont work.

1)
PS>. C:\Get-XADUserPasswordExpirationDate.ps1

2) And next try use function.
PS>Get-XADUserPasswordExpirationDate JohnDoe
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39189219
No didn't have problems afterwards.  I'm currently running a windows 8 box with ADAC so I don't use it at my current job.

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190672
Okay guys - I'm the first one in my family to walk upright and am a little dim.  I'm not really getting this to work for me.  The screen shot is from a Windows Server 2008 R2 domain controller.  I logged in as a domain admin.  What am I doing wrong?
Capture.PNG
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39190686
I think you are running the script from normal PowerShell console. If that's the case first you run the following command to import the ActiveDirectory module..

Import-Module ActiveDirectory

and then run the function..

Get-XADUserPasswordExpirationDate JohnDoe
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190703
Still a no-go.  See screen shot.
Capture.PNG
0
 
LVL 40

Accepted Solution

by:
Subsun earned 2000 total points
ID: 39190723
:-) now you didn't run the function script..

Run Import-Module ActiveDirectory
Copy paste the script content in to AD PowerShell console and press Enter key.
Once it return to PS prompt run following command to get the required details..
  Get-XADUserPasswordExpirationDate JohnDoe

Or simply use this modified script which will do all above tasks for you. When you run this script it will prompt you to enter the username. You just enter username and then press enter key, it will give you the result..

Import-Module ActiveDirectory
function Get-XADUserPasswordExpirationDate() {

    Param ([Parameter(Mandatory=$true,  Position=0,  ValueFromPipeline=$true, HelpMessage="Identity of the Account")]

    [Object] $accountIdentity)

    PROCESS {

        $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet

        if ($accountObj.PasswordExpired) {

            echo ("Password of account: " + $accountObj.Name + " already expired!")

        } else { 

            if ($accountObj.PasswordNeverExpires) {

                echo ("Password of account: " + $accountObj.Name + " is set to never expires!")

            } else {

                $passwordSetDate = $accountObj.PasswordLastSet

                if ($passwordSetDate -eq $null) {

                    echo ("Password of account: " + $accountObj.Name + " has never been set!")

                }  else {

                    $maxPasswordAgeTimeSpan = $null

                    $dfl = (get-addomain).DomainMode

                    if ($dfl -ge 3) { 

                        ## Greater than Windows2008 domain functional level

                        $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj

                        if ($accountFGPP -ne $null) {

                            $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge

                        } else {

                            $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                        }

                    } else {

                        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                    }

                    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {

                        echo ("MaxPasswordAge is not set for the domain or is set to zero!")

                    } else {

                        echo ("Password of account: " + $accountObj.Name + " expires on: " + ($passwordSetDate + $maxPasswordAgeTimeSpan))

                    }

                }

            }

        }

    }

}
Get-XADUserPasswordExpirationDate $(Read-Host "Input the UserName")

Open in new window

0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190759
Subsun - thanks for helping a dimwit.  That did the trick.

Here is the way I did it:

1. . C:\temp\PasswordExpiretyDate.ps1 (I copied the script contents into this file)
2. Get-XADUserPasswordExpirationDate <user_name>

Thanks very much for your help.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question