The Get-ADUser
cmdlet retrieves one or more active directory user information. The Get-AdUser command has msDS-UserPasswordExpiryTimeComputed
attribute that contains the ad user password expiration date.
Active Directory Get-ADUser cmdlet has pwdlastset and passwordlastset attributes which provide information about the password’s last set date.
An administrator needs to get ad user password expiration date and notify users about the password expiration date to prevent the account from being locked out.
In this article, I will explain how to use the PowerShell Get-AdUser cmdlet to get aduser password expiration date and export user password expiration details to a CSV file.
How to Get-AdUser Password Expiration Date with PowerShell
To get aduser password expiration date using PowerShell, run the below command
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property Displayname,@{Name="Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
The Get-AdUser command gets a list of active directory users. It uses the -Filter
parameter to get only enabled users with the PasswordNeverExpires
attribute set to False
.
The first command gets aduser displayname
and msDS-UserPasswordExpiryTimeComputed
property to use for password expiration date.
The second command, Select DisplayName and convert msDS-UserPasswordExpiryTimeComputed attribute value from large integer data type to date time format and pass output to the third command.
The third command displays the active directory user name, ad user password expiration date on the console as below.
You can export the adusers password expiration date using the following command.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | ` Select-Object -Property Displayname,@{Name="Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | ` Sort-Object "Expiration Date" | Export-Csv -Path C:\adusers-password-expiration-date.csv -NoTypeInformation
In the above PowerShell script, it uses Export-Csv
cmdlet to export the adusers name and password expiration date.
Conclusion
I hope the above article on using the PowerShell Get-ADUser cmdlet to get-aduser password expiration date helpful and educational.
You can use the PowerShell script to get active directory users’ expiration dates and export them to the CSV file.
The Get-AdUser command has an Enabled
attribute that checks the active directory user enabled status like the user is active or disabled. Read more here if you want to get disabled users in the active directory.
The Get-Aduser msDS-UserPasswordExpiryTimeComputed
attribute contains a large integer datatype value of password expiration date which needs to be converted to datetime before we use it.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.