Home ITProPowerShell Find the user password expiration date

Find the user password expiration date

Admin KT
Admin KT 15 views
Find Password Expiration
0 comment
0
FacebookTwitterPinterestLinkedinTumblrRedditStumbleuponWhatsappTelegramLINEEmail

You can check the expiration date of a user’s password by using

msDS-UserPasswordExpiryTimeComputed attribute.

This attribute indicates the time when the password of the object will expire. Let TO be the object on which the attribute msDS-UserPasswordExpiryTimeComputed is read. If TO is not in a domain NC, then TO!msDS-UserPasswordExpiryTimeComputed = null. Otherwise let D be the root of the domain NC containing TO. The DC applies the following rules, in the order specified below, to determine the value of TO!msDS-UserPasswordExpiryTimeComputed:

  • If any of the ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT bits is set in TO!userAccountControl, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF.
  • Else, if TO!pwdLastSet = null, or TO!pwdLastSet = 0, then TO!msDS-UserPasswordExpiryTimeComputed = 0.
  • Else, if Effective-MaximumPasswordAge = 0x8000000000000000, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).
  • Else, TO!msDS-UserPasswordExpiryTimeComputed = TO!pwdLastSet + Effective-MaximumPasswordAge (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).

 

  • It is a constructed attribute (it is not a “real” attribute but calculated when being queried)
  • Automatically calculates the expiration password date and also taking in consideration Fine Grained Password Policies (FGPP)
  • Simplify your code (no need to manually calculate so your code is easier to write and also faster)
function Get-ADUserPasswordExpiration
{
Param
(
[string]$Identity
)

[DateTime]::FromFileTime($((Get-ADUser -Identity $Identity -Properties ‘msDS-UserPasswordExpiryTimeComputed’).’msDS-UserPasswordExpiryTimeComputed’))
}

Pasword Expiration

Tip #1: When using “net user samAccountName /domain“, the value returned by “Password expires” doesn’t take in consideration the fine grained policies (net user samAccountName /domain is not reliable, you should rather use msDS-UserPasswordExpiryTimeComputed to get the correct and exact password expiration date).

 

Tip #2: Get-ADUser is a cmdlet from the activediretory module.

 

Tip #3: To list all the Active Directory constructed attributes :

Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))"

0 comment
0
FacebookTwitterPinterestLinkedinTumblrRedditStumbleuponWhatsappTelegramLINEEmail
Admin KT

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

You may also like

Export list of all Active Directory Security Groups...

How to Remove ‘Open PowerShell’ from Windows 10...

Powershell Script to Get List of Active Users...

List parameter aliases for a cmdlet

Configure Universal Group Membership Caching in Active Directory

Options available for creating and managing the Azure...

List and remove a function with PowerShell

Powershell to Find Inactive AD Users and Computers...

Reload Module Powershell Force Parameter

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

error: Alert: Content is protected !!