Avatar of iamuser
iamuser
 asked on

Getting user password expiration from Fine group password policy in windows 2008 R2

From an another closed post I was given the following query to use in powershell

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties Name, msDS-UserPasswordExpiryTimeComputed

Looking more closely at the output I realize that it's spiting out every user in the AD as having an password that's expired/expiring. What I was looking for was a powershell method to list all users who will have passwords expiring in the next 10 days based on the fine group password policy. Tools I'm using now are reporting the wrong users as they are only looking at the dc group policy
Windows Server 2008Active DirectoryPowershell

Avatar of undefined
Last Comment
Will Szymkowski

8/22/2022 - Mon
Will Szymkowski

How are your FGPP defined? Are you using a security group that you reference with the users in it? We have to know this info in order to call the script and all of the users within the group or OU where you are assigning the FGPP.

Will.
iamuser

ASKER
Yup there is a security group. It is called 'passexp', all users are in the this, the OU is 'regstaff'
Will Szymkowski

Try the following...
Import-module activedirectory
$Check = Get-ADGroupMember -Identity passexp
$Check | Get-ADUser -Properties Name, samaccountname, msDS-UserPasswordExpiryTimeComputed | 
select Name, samaccountname, @{n="expired";e={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Export-csv "c:\AccountExpireDates.csv" -nti

Open in new window


Will.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
iamuser

ASKER
I ran it and it gave me a list of 400 people with expiring passwords. I don't think that's correct, at least 2 users on that list recently changed their passwords and they shouldn't be showing up
iamuser

ASKER
I have this part here which I like

[datetime]::FromFileTime((Get-ADUser -Identity samaccountname -Properties "msDS-UserPasswordExpiryTimeComputed")."msDS-UserPasswordExpiryTimeComputed")

it  outputs the date and time of when the password is going to expire for that particular person.

If i can get it to loop through all the users in the passexp group i'm set. So far nothing I've tried works.
ASKER CERTIFIED SOLUTION
Will Szymkowski

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
iamuser

ASKER
thanks, it works
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Will Szymkowski

Perfect, glad that i could help!

Will.