Check all Users Password Expiry Date in Active Directory

Fluk3

One of IT Daily’s challenges is when User passwords expire. The problem with this is Users don’t even know their passwords are expiring then during the day IT would get a call that the Printer is not working and it worked the whole morning. Well yes, your password Expired and you can not authenticate against the AD. Your Password does not Randomly expire during the day, it expires an exact amount of days from the last change. This includes Hours and Minutes.

It is a good idea for IT to know when passwords are expiring. This allows you to notify the users about the passwords as the Notification does not always show in Windows when not connected to the AD regularly. Secondly, if IT will not be available for a certain time period they can assist in Preemptively resetting passwords.

There are different ways of checking when the passwords expire. For this, I preferred the PowerShell Script

The Script

The below script can be Copied and Pasted into the Administrator console of Windows PowerShell (or PowerShell ISE).

Import-Module ActiveDirectory
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
$ExpiredUsers = Get-ADUser -Filter * -Properties PasswordNeverExpires, PasswordLastSet | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet
$ExpiredUsers

Understanding the Script

Below is a breakdown of the script to understand the Logic of the coding.

Import the Module from where the data needs to be collected.

Import-Module ActiveDirectory

From the AD you need to get the number of days that a user is allowed to use the same password and pass it into a Variable for ease of use.

$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

Get-ADDefaultDomainPasswordPolicy

You can read up about the Get-ADDefaultDomainPasswordPolicy from Microsoft. The one thing that you need to have a look at is when using a command that has multiple properties you can select the Property you want to display.
Example: (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge

PowerShell check User Expiry Dates

Get today’s date Minus the Maximum password in Days. This is very important and gets explained in the below section The Expression

$expiredDate = (Get-Date).addDays(-$MaxPwdAge)

The Next section is passing on each command (Or Pipping) to the next command to retrieve the required Data.
Firstly, get all ADUsers and include the Properties PasswordNeverExpires, PasswordLastSet

Get-ADUser -Filter * -Properties PasswordNeverExpires, PasswordLastSet

This information then passes onto a Select command that filters out all other data except the specific ones required.

select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}}

@{} Creates a table that allows it to store information
$_ Uses a value passed on by the Pipe “|”

The Expression

Note the expression within the above section. To understand what is happening there we quickly need to understand how windows interpret Time (Minutes, Hours, Days, etc…)

Windows interprets days as Integer Numbers meaning if you open Excel and Type the Number 1 in a cell, then go Format the cell as Date you will receive the date 1900/01/01. Every full Integer after that will then be a new day.
Keeping this in mind if you enter today’s date you will have a much larger number and now this simply becomes an arithmetic expression.

Example:
If you take the Date “2021/04/22” and Deduct the day of the Last Reset Date “20201/03/11” you will get the Days since the last reset.

PowerShell check User Expiry Dates

Now by changing the formula by deducting the Domain MaxPasswordAge from today’s day first. Then taking the Last Reset Date “2021/03/11” and deducting the date of 42 Days ago “2021/03/11” you will get the remaining time until a password needs to be reset.

PowerShell check User Expiry Dates

Take all the above information and Sort it by PasswordLastSet

 Sort-Object PasswordLastSet

Display the information. From here you can decide how to use the info. For example, dump it into a file and send it out to the required people on a Scheduled event.

$ExpiredUsers

Final Note

You might find a lot of User accounts that expired a very long time ago. Don’t go willy-nilly and disable or reset passwords. These might be service accounts installed by various applications or accounts created for external services.

Check all accounts and try and make notes next to them for future purposes.

********************************************************

If you liked what you read Please Share.
I’d love it if you followed me on YouTube and Facebook.

Also, feel free to subscribe to my posts by email.
Donations for the site can be made here.
Thanks for reading.

Spread the love

1 thought on “Check all Users Password Expiry Date in Active Directory”

  1. Pingback: Active Directory Script: Find User Account Expiry with Specific SAMAccount » For Fluk3 Sake

Leave a Reply

Your email address will not be published. Required fields are marked *