Solved

View a single AD user's password expirety date

Posted on 2013-05-21
16
1,878 Views
Last Modified: 2013-05-23
Hello experts - we're testing a new password policy in AD Group Policy.  We need to have a user in a sandbox to make sure the settings are applied.  Is there a PowerShell script or some other way to show when the user's password is set to expire?

Thanks in advance.

RC
0
Comment
Question by:Levi Gwyn
  • 5
  • 4
  • 4
  • +1
16 Comments
 
LVL 40

Expert Comment

by:Subsun
ID: 39185872
Check out this PowerShell function Get-XADUserPasswordExpirationDate..
Ref : http://blogs.msdn.com/b/adpowershell/archive/2010/08/09/9970198.aspx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39185902
or a really crude way, download adfind

http://www.joeware.net/freetools/tools/adfind/

adfind -f samaccountname=username pwdlastset -tdca

That will be when the password was last set.  Then add the number of days you have defined in maximum password age.(90 days for example)

Thanks

Mike
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 39186173
VIEW ADDITIONAL INFORMAITON IN ACTIVE DIRECTORY, TO INCLUDE PASSWORD EXPIRATION DATE:

http://www.petri.co.il/view_additional_user_information_in_aduc.htm

THIS IS SIMPLE BY SIMPLY REGISTERING A .DLL IF YOU ALREADY HAVE THE RESOURCE KIT ON THE COMPUTER (WHICH MOST ALREADY HAVE).
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39186234
Are you on 2003 or 2008 R2?   You might the updated acctinfo if you go down that road.

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39187210
Our AD forest/domain functional level is 2008 R2.  Sorry - should have mentioned that in the initial post.
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39187263
Subsun - I've tried running this script and get nothing.  I'm not a PowerShell guru but is there some context under which I need to run this?  Do I need to pipe the output to a text file?  Do I need to run this on a domain controller? - I tried running it on my Windows 8 computer.  The script runs with no errors but I get no output at all.

I ran set-executionpolicy remotesigned on my computer to allow scripts and ran the PowerShell ISE as administrator and get nothing.  I also tried calling from a command prompt and same - nothing.
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 39189141
I believe the acct info works for 08 R2 servers as well. Worst case scenario is the .dll doesn't exist if you try to register it for additional AD information that comes in VERY handy.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39189165
It would have issues on a 2008 R2 box, see this thread i helped with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26476848.html

On another note the info is in ADAC natively in Windows 2012 see bottom of blog below

http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx

Thanks

Mike
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 39189185
@Mkline:
You stated, there were some explicit edits, but you got it to work. Did you have problems afterwards with ACCTINFO2?

This really sounds like exactly what this administrator is looking for.
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39189202
The script utilize Active Directory module for Windows PowerShell, also written as a function.. so you need to run it where the Active Directory module is installed. Win 2008 R2 DC should have the AD module...

Since it's a written as a function,  Simply copy paste the script content in to AD PowerShell console and press Enter key. Once it return to PS prompt run command Get-XADUserPasswordExpirationDate to get the required details..

Or load script file with cmdlet definition. You can do this by typing a Dot, a space, and then the path to the file. There has to be a space between the dot and the file name, otherwise it wont work.

1)
PS>. C:\Get-XADUserPasswordExpirationDate.ps1

2) And next try use function.
PS>Get-XADUserPasswordExpirationDate JohnDoe
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 39189219
No didn't have problems afterwards.  I'm currently running a windows 8 box with ADAC so I don't use it at my current job.

Thanks

Mike
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190672
Okay guys - I'm the first one in my family to walk upright and am a little dim.  I'm not really getting this to work for me.  The screen shot is from a Windows Server 2008 R2 domain controller.  I logged in as a domain admin.  What am I doing wrong?
Capture.PNG
0
 
LVL 40

Expert Comment

by:Subsun
ID: 39190686
I think you are running the script from normal PowerShell console. If that's the case first you run the following command to import the ActiveDirectory module..

Import-Module ActiveDirectory

and then run the function..

Get-XADUserPasswordExpirationDate JohnDoe
0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190703
Still a no-go.  See screen shot.
Capture.PNG
0
 
LVL 40

Accepted Solution

by:
Subsun earned 500 total points
ID: 39190723
:-) now you didn't run the function script..

Run Import-Module ActiveDirectory
Copy paste the script content in to AD PowerShell console and press Enter key.
Once it return to PS prompt run following command to get the required details..
  Get-XADUserPasswordExpirationDate JohnDoe

Or simply use this modified script which will do all above tasks for you. When you run this script it will prompt you to enter the username. You just enter username and then press enter key, it will give you the result..

Import-Module ActiveDirectory
function Get-XADUserPasswordExpirationDate() {

    Param ([Parameter(Mandatory=$true,  Position=0,  ValueFromPipeline=$true, HelpMessage="Identity of the Account")]

    [Object] $accountIdentity)

    PROCESS {

        $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet

        if ($accountObj.PasswordExpired) {

            echo ("Password of account: " + $accountObj.Name + " already expired!")

        } else { 

            if ($accountObj.PasswordNeverExpires) {

                echo ("Password of account: " + $accountObj.Name + " is set to never expires!")

            } else {

                $passwordSetDate = $accountObj.PasswordLastSet

                if ($passwordSetDate -eq $null) {

                    echo ("Password of account: " + $accountObj.Name + " has never been set!")

                }  else {

                    $maxPasswordAgeTimeSpan = $null

                    $dfl = (get-addomain).DomainMode

                    if ($dfl -ge 3) { 

                        ## Greater than Windows2008 domain functional level

                        $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj

                        if ($accountFGPP -ne $null) {

                            $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge

                        } else {

                            $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                        }

                    } else {

                        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                    }

                    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {

                        echo ("MaxPasswordAge is not set for the domain or is set to zero!")

                    } else {

                        echo ("Password of account: " + $accountObj.Name + " expires on: " + ($passwordSetDate + $maxPasswordAgeTimeSpan))

                    }

                }

            }

        }

    }

}
Get-XADUserPasswordExpirationDate $(Read-Host "Input the UserName")

Open in new window

0
 
LVL 4

Author Comment

by:Levi Gwyn
ID: 39190759
Subsun - thanks for helping a dimwit.  That did the trick.

Here is the way I did it:

1. . C:\temp\PasswordExpiretyDate.ps1 (I copied the script contents into this file)
2. Get-XADUserPasswordExpirationDate <user_name>

Thanks very much for your help.
0

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now