You can check the expiration date of a user’s password by using
msDS-UserPasswordExpiryTimeComputed attribute.
This attribute indicates the time when the password of the object will expire. Let TO be the object on which the attribute msDS-UserPasswordExpiryTimeComputed is read. If TO is not in a domain NC, then TO!msDS-UserPasswordExpiryTimeComputed = null. Otherwise let D be the root of the domain NC containing TO. The DC applies the following rules, in the order specified below, to determine the value of TO!msDS-UserPasswordExpiryTimeComputed:
- If any of the ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT bits is set in TO!userAccountControl, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF.
- Else, if TO!pwdLastSet = null, or TO!pwdLastSet = 0, then TO!msDS-UserPasswordExpiryTimeComputed = 0.
- Else, if Effective-MaximumPasswordAge = 0x8000000000000000, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).
- Else, TO!msDS-UserPasswordExpiryTimeComputed = TO!pwdLastSet + Effective-MaximumPasswordAge (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).
- It is a constructed attribute (it is not a “real” attribute but calculated when being queried)
- Automatically calculates the expiration password date and also taking in consideration Fine Grained Password Policies (FGPP)
- Simplify your code (no need to manually calculate so your code is easier to write and also faster)
function Get-ADUserPasswordExpiration
{
Param
(
[string]$Identity
)
{
Param
(
[string]$Identity
)
[DateTime]::FromFileTime($((Get-ADUser -Identity $Identity -Properties ‘msDS-UserPasswordExpiryTimeComputed’).’msDS-UserPasswordExpiryTimeComputed’))
}
Tip #1: When using “net user samAccountName /domain“, the value returned by “Password expires” doesn’t take in consideration the fine grained policies (net user samAccountName /domain is not reliable, you should rather use msDS-UserPasswordExpiryTimeComputed to get the correct and exact password expiration date).
Tip #2: Get-ADUser is a cmdlet from the activediretory module.
Tip #3: To list all the Active Directory constructed attributes :
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))"
