The Get-ADUser cmdlet retrieves one or more active directory user information. It has msDS-UserPasswordExpiryTimeComputed attribute that contains the ad user password expiration date.
Active Directory Get-ADUser cmdlet has pwdlastset and passwordlastset attributes which provide information about the password’s last set date.
Its very important for an administrator to get-aduser password expiration date and notify users about the password expiration date to prevent the account from being locked out.
In this article, I will explain how to use the PowerShell Get-AdUser cmdlet to get ad users password expiration date and export user password expiration details to a CSV file.
Get-AdUser Password Expiration Date
To find get adusers password expiration date using PowerShell, run below command
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property Displayname,@{Name="Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
In the above PowerShell script, Get-ADUser gets a list of active directory users, it uses a Filter parameter to get only enabled users and the password never expires set to false from the active directory.
First command get aduser displayname and msDS-UserPasswordExpiryTimeComputed property to use for password expiration date.
The second command, Select DisplayName and convert msDS-UserPasswordExpiryTimeComputed attribute value from large integer data type to date time format and pass output to the third command.
Third command display active directory display user name, adusers password expiration date on console as below
If you want to export adusers password expiration date, run below command
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | `
Select-Object -Property Displayname,@{Name="Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `
Sort-Object "Expiration Date" | Export-Csv -Path C:\adusers-password-expiration-date.csv -NoTypeInformation
In the above PowerShell script, it uses Export-Csv cmdlet to export adusers name and password expiration date. Refer article on PowerShell multiline command to beautify your PowerShell script code and make it more readable.
Conclusion
I hope the above article on using the PowerShell Get-ADUser cmdlet to get-aduser password expiration date helpful and educational.
You can use the above script to get your active directory users expiration date and export it to the CSV file.
Get-AdUser Enabled attribute checks the active directory user enabled status like the user is active or disabled. Read more here if you want to get disabled users in the active directory.
Get-Aduser msDS-UserPasswordExpiryTimeComputed attribute contains a large integer datatype value of password expiration date which needs to be converted to datetime before we use it.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.