Getting user password expiration from Fine group password policy in windows 2008 R2

iamuser
iamuser used Ask the Experts™
on
From an another closed post I was given the following query to use in powershell

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties Name, msDS-UserPasswordExpiryTimeComputed

Looking more closely at the output I realize that it's spiting out every user in the AD as having an password that's expired/expiring. What I was looking for was a powershell method to list all users who will have passwords expiring in the next 10 days based on the fine group password policy. Tools I'm using now are reporting the wrong users as they are only looking at the dc group policy
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
How are your FGPP defined? Are you using a security group that you reference with the users in it? We have to know this info in order to call the script and all of the users within the group or OU where you are assigning the FGPP.

Will.

Author

Commented:
Yup there is a security group. It is called 'passexp', all users are in the this, the OU is 'regstaff'
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Try the following...
Import-module activedirectory
$Check = Get-ADGroupMember -Identity passexp
$Check | Get-ADUser -Properties Name, samaccountname, msDS-UserPasswordExpiryTimeComputed | 
select Name, samaccountname, @{n="expired";e={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Export-csv "c:\AccountExpireDates.csv" -nti

Open in new window


Will.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I ran it and it gave me a list of 400 people with expiring passwords. I don't think that's correct, at least 2 users on that list recently changed their passwords and they shouldn't be showing up

Author

Commented:
I have this part here which I like

[datetime]::FromFileTime((Get-ADUser -Identity samaccountname -Properties "msDS-UserPasswordExpiryTimeComputed")."msDS-UserPasswordExpiryTimeComputed")

it  outputs the date and time of when the password is going to expire for that particular person.

If i can get it to loop through all the users in the passexp group i'm set. So far nothing I've tried works.
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
I have modified the above script for a foreach loop.

Import-module activedirectory
$Check  = Get-ADGroupMember -Identity passexp
ForEach ($User in $Check) {
Get-ADUser -Identity $User.sAMAccountName -Properties Name, samaccountname, msDS-UserPasswordExpiryTimeComputed
select Name, samaccountname, @{n="expired";e={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Export-csv "c:\AccountExpireDates.csv" -nti
}

Open in new window


Will.

Author

Commented:
thanks, it works
Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Perfect, glad that i could help!

Will.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial