Trying to find out when a domain user(s) password expire with powershell

grizrules
grizrules used Ask the Experts™
on
First, I'm a beginner at using powershell.  I only know what I read and can do simple commands by cut and paste.

I'm trying to find out  when all my users passwords  in Active Directory will expire so I can let them know before hand as they sometimes don't pay attention to the warning.

I know I can use the
net user username /domain command, but that is for a single user.  I'd like to get a list of all users expiring passwords.

So far I have not found anything useful on the web.   Most of it is outdated.

I found this command, but its for ACCOUNTS expiring:

Search-ADAccount -AccountExpiring -TimeSpan 90.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A

This other command was the one I thought would work but apparently it doesn't work
Search-ADAccount -PasswordExpiring -DateTime 10/15/2009 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass -A

The reason it doesn't work is because, The PasswordExpiring option doesn't exist for the Search-ADAccount cmdlet on 2008 R2

Note I'm using Windows 2012 R2

Can someone assist with a nice command.  Does one exist?

Thank you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
Pretty sure -PasswordExpiring isn't a parameter in any version of Search-ADAccount.

Rather than inventing a script from scratch, here's a good function for single user.
http://blogs.msdn.com/b/adpowershell/archive/2010/02/26/find-out-when-your-password-expires.aspx
It could be reworked to show all users.  It's likely that someone has already posted something for this in the MS Technet Script Gallery.  See here.
Senior Solution Architect
Most Valuable Expert 2015
Top Expert 2015
Commented:
The easiest way to accomplish this is using the command below...
Import-module activedirectory
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{n="Expiry Date";e={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Open in new window


Will.

Author

Commented:
Will if I'm already using the Active Directory Module for Windows Powershell is the Import-module activedirectory required?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Will SzymkowskiSenior Solution Architect
Most Valuable Expert 2015
Top Expert 2015

Commented:
Will if I'm already using the Active Directory Module for Windows Powershell is the Import-module activedirectory required?

If you are already using it then no it is not required in the script. In Powershell v3 and up it will ignore the command if it is already imported into the Powershell session.

In eariler versions of Powershell v1/v2 it will provide an error message stating that it is already imported, however,  this is just an astetics thing as it does not stop or prevent the script from running. So it is a personal preference. I typically leave it because it is now ignored in newer versions of powershell and if i run a script in a new session where i do not have the module imported then it does it automatically for me.

Will.

Author

Commented:
Worked beautifully, exactly what I was looking for.

Thanks!

Author

Commented:
Great info, good response time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial