credog
asked on
Net User versus Get-Aduser - Password Expire Different
We are trying to track down an issue where the password expiration date is not conforming to our policy. We have a 90 policy, but the password on domain accounts seem to be expiring at 42 days.
The following net user command provides the expected output:
The following net user command provides the expected output:
>net user /domain joe.user
The request will be processed at a domain controller for domain example.com.
User name joe.user
Full Name Joe User
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 8/1/2019 9:09:56 AM
Password expires 10/30/2019 9:09:56 AM
Password changeable 8/2/2019 9:09:56 AM
Password required Yes
User may change password Yes
.....
The 10/30/2019 date corresponds with the 90 day requirement. However, the password expires much sooner. Using the following get-aduser command, you get a different date:(Get-ADUser -Identity joe.user -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed' |ForEach-Object -Process {[datetime]::FromFileTime($_)}
Thursday, September 12, 2019 9:09:56 AM
The dates provided by the two commands are different. Any insight why, it may help use narrow down the issue if we knew why the two commands return different dates? Also, the account really does expire earlier than the 90 policy. We've had users needing to change their password even though the net user command shows they have plenty of time.
You need to double check which GPO is setting the password expiration policy.
Does it include a notification period of two weeks, i.e. on the 76 day the user logs in and gets alerted that the password will be expiring in 14 days, do you want to change it now? yes no
until the 90th day, the no will work, on the ninetieth day and there after, the no will stop working, the user will be required to change password. application will not stop working as the password would have expired.
Try the example from
https://blogs.technet.microsoft.com/poshchap/2014/02/21/one-liner-get-a-list-of-ad-users-password-expiry-dates/
you are not outputing the displayname which may help shed light on whose expiration date you are displaying.
Does it include a notification period of two weeks, i.e. on the 76 day the user logs in and gets alerted that the password will be expiring in 14 days, do you want to change it now? yes no
until the 90th day, the no will work, on the ninetieth day and there after, the no will stop working, the user will be required to change password. application will not stop working as the password would have expired.
Try the example from
https://blogs.technet.microsoft.com/poshchap/2014/02/21/one-liner-get-a-list-of-ad-users-password-expiry-dates/
you are not outputing the displayname which may help shed light on whose expiration date you are displaying.
ASKER
Tried the command above and got the following output:
Both commands have the correct hour that corresponds to the last time the password was changed (i.e. 9:09:56 AM), but when using get-aduser the date is different.
Displayname ExpiryDate
----------- ----------
Joe Blow 9/12/2019 9:09:56 AM
Net user show: 10/30/2019 9:09:56.Both commands have the correct hour that corresponds to the last time the password was changed (i.e. 9:09:56 AM), but when using get-aduser the date is different.
either the issue with your masking,
the first is Joe User record, the second is Joe Blow
include the identity in the query and see whether you are getting responses about different users
note the variable is computed, not sure computed based on what.
https://social.technet.microsoft.com/forums/windowsserver/en-US/25dfe24d-9f8a-4913-8ff7-eed95c7a69c0/powershell-query-to-determine-correct-password-expiration-date-with-fine-grained-password-policies
the first is Joe User record, the second is Joe Blow
include the identity in the query and see whether you are getting responses about different users
note the variable is computed, not sure computed based on what.
https://social.technet.microsoft.com/forums/windowsserver/en-US/25dfe24d-9f8a-4913-8ff7-eed95c7a69c0/powershell-query-to-determine-correct-password-expiration-date-with-fine-grained-password-policies
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That was a typo to sanitize the data, it consistently returns the correct user when querying using both commands.
ASKER
FGPP seems to be the culprit. It was recently implemented and the expire date is set for 42 days out. Thanks for pointing us in the right direction.
Open in new window
For me, the expiration date/time matches what net user gave me except it was off by an hour (issue with the end of Daylight Saving time?).