Link to home
Start Free TrialLog in
Avatar of IT Guy
IT GuyFlag for United States of America

asked on

PowerShell command/script to list date AD account password expires that can be run without admin rights

I'm looking for a PowerShell command or script that can be run that will the date that the password for a particular Active Directory account will expires that can be run without administrator rights.


The account that I use to log on to the member server running Active Directory Users & Computers has only limited rights and I need to be able to obtain this information without my account having administrator rights.

I'm hoping that there is a command or script that will still allow me to do this. 

Avatar of Michael B. Smith
Michael B. Smith
Flag of United States of America image

executing queries against AD requires no privileges more than 'authenticated users'.

you just need to inquire against pwdlastset.

If you installed rsat-adds, you can use dsquery for this. if you can't install that, i can provide you a simple powershell script to do the same. let us know.
Avatar of IT Guy

ASKER

Michael,

Please provide me with the simple PowerShell script.
Avatar of oBdA
oBdA

This should do it, assuming nobody changed the default permissions on the target object:
Get-ADUser -Identity 'JDoe' -Properties 'msDS-UserPasswordExpiryTimeComputed', 'PasswordNeverExpires' | Select-Object -Property 'SamAccountName', @{n='PasswordExpires'; e={If ($_.PasswordNeverExpires) {'<never>'} Else {[DateTime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed')}}}

Open in new window

Avatar of IT Guy

ASKER

oBdA,

The script that you provided only accurately displays the correct expiration date for AD objects that I query that are located within the OU where I have full read/write permissions.

When I try to query any other accounts that are located in different AD OUs where I have only read access (and can't make any modifications or changes) the script displays the PasswordExpires attribute as being 12/31/1600 4:00:00 PM.

Do you know of any other modifications to the script or scripts that I can run that will accurately display the AD expiration date for objects located in Active Directory OUs where I don't have write or change rights?

This is important since I need to be able to obtain this password expiration information so I can advise users in advance when to change their account passwords since these are for accounts they don't logon with so they aren't notified in advance as to when their account passwords will be expiring.
See if you can access pwdLastSet. He's using a computed attribute which has slightly different rules than direct attributes.

If you can get it, convert it like this:
   ### If we get here, $pls is non-zero.
   ###
   ### $pls comes to us in FileTime format (the number of 100 nanosecond ticks 
   ### since Jan 1, 1601). So it must be converted to DateTime and adjusted 
   ### for the normal clock in order for us to do our arithmetic on it. For
   ### more information about FileTime, see:
   ### msdn.microsoft.com/en-us/library/windows/desktop/ms724290(v=vs.85).aspx

   $date = [DateTime] $pls
   $passwordLastSet = $date.AddYears( 1600 ).ToLocalTime()

Open in new window

Avatar of IT Guy

ASKER

Michael B. Smith,

Do I add the original script provided by ObDa to the end of the script that you provided?

What is the full syntax of the PowerShell script that will do what I have described with the limitations that I have?
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of IT Guy

ASKER

oBdA,

I have tried the scripts that you provided above & unfortunately, I continue to get the PasswordExpires attribute as being 12/31/1600 4:00:00 PM.

Do you know of any other scripts or commands that will be able to list the date an Active Directory account password expires that can be run without admin rights?
EXPERT CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial