Home » PowerShell » Get-AdUser Password Expiration Date with PowerShell

Get-AdUser Password Expiration Date with PowerShell

The Get-ADUser cmdlet retrieves one or more active directory user information. The Get-AdUser command has msDS-UserPasswordExpiryTimeComputed attribute that contains the ad user password expiration date.

Active Directory Get-ADUser cmdlet has pwdlastset and passwordlastset attributes which provide information about the password’s last set date.

An administrator needs to get ad user password expiration date and notify users about the password expiration date to prevent the account from being locked out.

Notify User about Password Expire Days
Notify User about Password Expire Days

In this article, I will explain how to use the PowerShell Get-AdUser cmdlet to get aduser password expiration date and export user password expiration details to a CSV file.

How to Get-AdUser Password Expiration Date with PowerShell

To get aduser password expiration date using PowerShell, run the below command

 Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property Displayname,@{Name="Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

The Get-AdUser command gets a list of active directory users. It uses the -Filter parameter to get only enabled users with the PasswordNeverExpires attribute set to False.

The first command gets aduser displayname and msDS-UserPasswordExpiryTimeComputed property to use for password expiration date.

The second command, Select DisplayName and convert msDS-UserPasswordExpiryTimeComputed attribute value from large integer data type to date time format and pass output to the third command.

The third command displays the active directory user name, ad user password expiration date on the console as below.

Get-AdUser Password Expiration Date
Get-AdUser Password Expiration Date

You can export the adusers password expiration date using the following command.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | `

Select-Object -Property Displayname,@{Name="Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `

Sort-Object "Expiration Date" | Export-Csv -Path C:\adusers-password-expiration-date.csv -NoTypeInformation

In the above PowerShell script, it uses Export-Csv cmdlet to export the adusers name and password expiration date.

Conclusion

I hope the above article on using the PowerShell Get-ADUser cmdlet to get-aduser password expiration date helpful and educational.

You can use the PowerShell script to get active directory users’ expiration dates and export them to the CSV file.

The Get-AdUser command has an Enabled attribute that checks the active directory user enabled status like the user is active or disabled. Read more here if you want to get disabled users in the active directory.

The Get-Aduser msDS-UserPasswordExpiryTimeComputed attribute contains a large integer datatype value of password expiration date which needs to be converted to datetime before we use it.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Leave a Comment