View a single AD user's password expirety date

Hello experts - we're testing a new password policy in AD Group Policy.  We need to have a user in a sandbox to make sure the settings are applied.  Is there a PowerShell script or some other way to show when the user's password is set to expire?

Thanks in advance.

RC
LVL 4
Levi GwynAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
SubsunConnect With a Mentor Commented:
:-) now you didn't run the function script..

Run Import-Module ActiveDirectory
Copy paste the script content in to AD PowerShell console and press Enter key.
Once it return to PS prompt run following command to get the required details..
  Get-XADUserPasswordExpirationDate JohnDoe

Or simply use this modified script which will do all above tasks for you. When you run this script it will prompt you to enter the username. You just enter username and then press enter key, it will give you the result..

Import-Module ActiveDirectory
function Get-XADUserPasswordExpirationDate() {

    Param ([Parameter(Mandatory=$true,  Position=0,  ValueFromPipeline=$true, HelpMessage="Identity of the Account")]

    [Object] $accountIdentity)

    PROCESS {

        $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet

        if ($accountObj.PasswordExpired) {

            echo ("Password of account: " + $accountObj.Name + " already expired!")

        } else { 

            if ($accountObj.PasswordNeverExpires) {

                echo ("Password of account: " + $accountObj.Name + " is set to never expires!")

            } else {

                $passwordSetDate = $accountObj.PasswordLastSet

                if ($passwordSetDate -eq $null) {

                    echo ("Password of account: " + $accountObj.Name + " has never been set!")

                }  else {

                    $maxPasswordAgeTimeSpan = $null

                    $dfl = (get-addomain).DomainMode

                    if ($dfl -ge 3) { 

                        ## Greater than Windows2008 domain functional level

                        $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj

                        if ($accountFGPP -ne $null) {

                            $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge

                        } else {

                            $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                        }

                    } else {

                        $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

                    }

                    if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {

                        echo ("MaxPasswordAge is not set for the domain or is set to zero!")

                    } else {

                        echo ("Password of account: " + $accountObj.Name + " expires on: " + ($passwordSetDate + $maxPasswordAgeTimeSpan))

                    }

                }

            }

        }

    }

}
Get-XADUserPasswordExpirationDate $(Read-Host "Input the UserName")

Open in new window

0
 
SubsunCommented:
Check out this PowerShell function Get-XADUserPasswordExpirationDate..
Ref : http://blogs.msdn.com/b/adpowershell/archive/2010/08/09/9970198.aspx
0
 
Mike KlineCommented:
or a really crude way, download adfind

http://www.joeware.net/freetools/tools/adfind/

adfind -f samaccountname=username pwdlastset -tdca

That will be when the password was last set.  Then add the number of days you have defined in maximum password age.(90 days for example)

Thanks

Mike
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
ChiefITCommented:
VIEW ADDITIONAL INFORMAITON IN ACTIVE DIRECTORY, TO INCLUDE PASSWORD EXPIRATION DATE:

http://www.petri.co.il/view_additional_user_information_in_aduc.htm

THIS IS SIMPLE BY SIMPLY REGISTERING A .DLL IF YOU ALREADY HAVE THE RESOURCE KIT ON THE COMPUTER (WHICH MOST ALREADY HAVE).
0
 
Mike KlineCommented:
Are you on 2003 or 2008 R2?   You might the updated acctinfo if you go down that road.

Thanks

Mike
0
 
Levi GwynAuthor Commented:
Our AD forest/domain functional level is 2008 R2.  Sorry - should have mentioned that in the initial post.
0
 
Levi GwynAuthor Commented:
Subsun - I've tried running this script and get nothing.  I'm not a PowerShell guru but is there some context under which I need to run this?  Do I need to pipe the output to a text file?  Do I need to run this on a domain controller? - I tried running it on my Windows 8 computer.  The script runs with no errors but I get no output at all.

I ran set-executionpolicy remotesigned on my computer to allow scripts and ran the PowerShell ISE as administrator and get nothing.  I also tried calling from a command prompt and same - nothing.
0
 
ChiefITCommented:
I believe the acct info works for 08 R2 servers as well. Worst case scenario is the .dll doesn't exist if you try to register it for additional AD information that comes in VERY handy.
0
 
Mike KlineCommented:
It would have issues on a 2008 R2 box, see this thread i helped with

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_26476848.html

On another note the info is in ADAC natively in Windows 2012 see bottom of blog below

http://blogs.technet.com/b/askds/archive/2011/04/12/you-probably-don-t-need-acctinfo2-dll.aspx

Thanks

Mike
0
 
ChiefITCommented:
@Mkline:
You stated, there were some explicit edits, but you got it to work. Did you have problems afterwards with ACCTINFO2?

This really sounds like exactly what this administrator is looking for.
0
 
SubsunCommented:
The script utilize Active Directory module for Windows PowerShell, also written as a function.. so you need to run it where the Active Directory module is installed. Win 2008 R2 DC should have the AD module...

Since it's a written as a function,  Simply copy paste the script content in to AD PowerShell console and press Enter key. Once it return to PS prompt run command Get-XADUserPasswordExpirationDate to get the required details..

Or load script file with cmdlet definition. You can do this by typing a Dot, a space, and then the path to the file. There has to be a space between the dot and the file name, otherwise it wont work.

1)
PS>. C:\Get-XADUserPasswordExpirationDate.ps1

2) And next try use function.
PS>Get-XADUserPasswordExpirationDate JohnDoe
0
 
Mike KlineCommented:
No didn't have problems afterwards.  I'm currently running a windows 8 box with ADAC so I don't use it at my current job.

Thanks

Mike
0
 
Levi GwynAuthor Commented:
Okay guys - I'm the first one in my family to walk upright and am a little dim.  I'm not really getting this to work for me.  The screen shot is from a Windows Server 2008 R2 domain controller.  I logged in as a domain admin.  What am I doing wrong?
Capture.PNG
0
 
SubsunCommented:
I think you are running the script from normal PowerShell console. If that's the case first you run the following command to import the ActiveDirectory module..

Import-Module ActiveDirectory

and then run the function..

Get-XADUserPasswordExpirationDate JohnDoe
0
 
Levi GwynAuthor Commented:
Still a no-go.  See screen shot.
Capture.PNG
0
 
Levi GwynAuthor Commented:
Subsun - thanks for helping a dimwit.  That did the trick.

Here is the way I did it:

1. . C:\temp\PasswordExpiretyDate.ps1 (I copied the script contents into this file)
2. Get-XADUserPasswordExpirationDate <user_name>

Thanks very much for your help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.