Tip: You can check the expiration date of a user’s password by using msDS-UserPasswordExpiryTimeComputed attribute.

msDS-UserPasswordExpiryTimeComputed
https://msdn.microsoft.com/en-us/library/cc223410.aspx

It is a constructed attribute (it is not a “real” attribute but calculated when being queried)
Automatically calculates the expiration password date and also taking in consideration Fine Grained Password Policies (FGPP)
Simplify your code (no need to manually calculate so your code is easier to write and also faster)
function Get-ADUserPasswordExpiration
{
Param
(
[string]$Identity
)

[DateTime]::FromFileTime($((Get-ADUser -Identity $Identity -Properties ‘msDS-UserPasswordExpiryTimeComputed’).’msDS-UserPasswordExpiryTimeComputed’))
}
1
2
3
4
5
6
7
8
9
function Get-ADUserPasswordExpiration
{
Param
(
[string]$Identity
)

[DateTime]::FromFileTime($((Get-ADUser -Identity $Identity -Properties ‘msDS-UserPasswordExpiryTimeComputed’).’msDS-UserPasswordExpiryTimeComputed’))
}
pasword-expiration-date-function-active-directory-user

Note 1: When using “net user samAccountName /domain“, the value returned by “Password expires” doesn’t take in consideration the fine grained policies (net user samAccountName /domain is not reliable, you should rather use msDS-UserPasswordExpiryTimeComputed to get the correct and exact password expiration date).

Note 2: Get-ADUser is a cmdlet from the activediretory module.

Note 3 : To list all the Active Directory constructed attributes :

Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter “(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))”
1
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter “(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))”
previous-button