Avatar of IT Guy
IT Guy
Flag for United States of America asked on

PowerShell command/script to list date AD account password expires that can be run without admin rights

I'm looking for a PowerShell command or script that can be run that will the date that the password for a particular Active Directory account will expires that can be run without administrator rights.


The account that I use to log on to the member server running Active Directory Users & Computers has only limited rights and I need to be able to obtain this information without my account having administrator rights.

I'm hoping that there is a command or script that will still allow me to do this. 

PowershellActive DirectoryMicrosoft Server OSWindows Server 2016Windows OS

Avatar of undefined
Last Comment
oBdA

8/22/2022 - Mon
Michael B. Smith

executing queries against AD requires no privileges more than 'authenticated users'.

you just need to inquire against pwdlastset.

If you installed rsat-adds, you can use dsquery for this. if you can't install that, i can provide you a simple powershell script to do the same. let us know.
IT Guy

ASKER
Michael,

Please provide me with the simple PowerShell script.
oBdA

This should do it, assuming nobody changed the default permissions on the target object:
Get-ADUser -Identity 'JDoe' -Properties 'msDS-UserPasswordExpiryTimeComputed', 'PasswordNeverExpires' | Select-Object -Property 'SamAccountName', @{n='PasswordExpires'; e={If ($_.PasswordNeverExpires) {'<never>'} Else {[DateTime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed')}}}

Open in new window

Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
IT Guy

ASKER
oBdA,

The script that you provided only accurately displays the correct expiration date for AD objects that I query that are located within the OU where I have full read/write permissions.

When I try to query any other accounts that are located in different AD OUs where I have only read access (and can't make any modifications or changes) the script displays the PasswordExpires attribute as being 12/31/1600 4:00:00 PM.

Do you know of any other modifications to the script or scripts that I can run that will accurately display the AD expiration date for objects located in Active Directory OUs where I don't have write or change rights?

This is important since I need to be able to obtain this password expiration information so I can advise users in advance when to change their account passwords since these are for accounts they don't logon with so they aren't notified in advance as to when their account passwords will be expiring.
Michael B. Smith

See if you can access pwdLastSet. He's using a computed attribute which has slightly different rules than direct attributes.

If you can get it, convert it like this:
   ### If we get here, $pls is non-zero.
   ###
   ### $pls comes to us in FileTime format (the number of 100 nanosecond ticks 
   ### since Jan 1, 1601). So it must be converted to DateTime and adjusted 
   ### for the normal clock in order for us to do our arithmetic on it. For
   ### more information about FileTime, see:
   ### msdn.microsoft.com/en-us/library/windows/desktop/ms724290(v=vs.85).aspx

   $date = [DateTime] $pls
   $passwordLastSet = $date.AddYears( 1600 ).ToLocalTime()

Open in new window

IT Guy

ASKER
Michael B. Smith,

Do I add the original script provided by ObDa to the end of the script that you provided?

What is the full syntax of the PowerShell script that will do what I have described with the limitations that I have?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
oBdA

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
IT Guy

ASKER
oBdA,

I have tried the scripts that you provided above & unfortunately, I continue to get the PasswordExpires attribute as being 12/31/1600 4:00:00 PM.

Do you know of any other scripts or commands that will be able to list the date an Active Directory account password expires that can be run without admin rights?
EXPERT CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.