Home ITProPowerShell Find the user password expiration date
Find Password Expiration

Find the user password expiration date

Admin KT
Admin KT 0 comment 20 views
0
FacebookTwitterPinterestLinkedinTumblrRedditStumbleuponWhatsappTelegramLINEEmail

You can check the expiration date of a user’s password by using

msDS-UserPasswordExpiryTimeComputed attribute.

This attribute indicates the time when the password of the object will expire. Let TO be the object on which the attribute msDS-UserPasswordExpiryTimeComputed is read. If TO is not in a domain NC, then TO!msDS-UserPasswordExpiryTimeComputed = null. Otherwise let D be the root of the domain NC containing TO. The DC applies the following rules, in the order specified below, to determine the value of TO!msDS-UserPasswordExpiryTimeComputed:

  • If any of the ADS_UF_SMARTCARD_REQUIRED, ADS_UF_DONT_EXPIRE_PASSWD, ADS_UF_WORKSTATION_TRUST_ACCOUNT, ADS_UF_SERVER_TRUST_ACCOUNT, ADS_UF_INTERDOMAIN_TRUST_ACCOUNT bits is set in TO!userAccountControl, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF.
  • Else, if TO!pwdLastSet = null, or TO!pwdLastSet = 0, then TO!msDS-UserPasswordExpiryTimeComputed = 0.
  • Else, if Effective-MaximumPasswordAge = 0x8000000000000000, then TO!msDS-UserPasswordExpiryTimeComputed = 0x7FFFFFFFFFFFFFFF (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).
  • Else, TO!msDS-UserPasswordExpiryTimeComputed = TO!pwdLastSet + Effective-MaximumPasswordAge (where Effective-MaximumPasswordAge is defined in [MS-SAMR] section 3.1.1.5).

 

  • It is a constructed attribute (it is not a “real” attribute but calculated when being queried)
  • Automatically calculates the expiration password date and also taking in consideration Fine Grained Password Policies (FGPP)
  • Simplify your code (no need to manually calculate so your code is easier to write and also faster)
function Get-ADUserPasswordExpiration
{
Param
(
[string]$Identity
)

[DateTime]::FromFileTime($((Get-ADUser -Identity $Identity -Properties ‘msDS-UserPasswordExpiryTimeComputed’).’msDS-UserPasswordExpiryTimeComputed’))
}

Pasword Expiration

Tip #1: When using “net user samAccountName /domain“, the value returned by “Password expires” doesn’t take in consideration the fine grained policies (net user samAccountName /domain is not reliable, you should rather use msDS-UserPasswordExpiryTimeComputed to get the correct and exact password expiration date).

 

Tip #2: Get-ADUser is a cmdlet from the activediretory module.

 

Tip #3: To list all the Active Directory constructed attributes :

Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))"

0 comment
0
FacebookTwitterPinterestLinkedinTumblrRedditStumbleuponWhatsappTelegramLINEEmail
Admin KT

Leave a Comment

Save my name, email, and website in this browser for the next time I comment.

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.

You may also like

Powershell Script to Get “lastLogon Timestamp” for Specific...

Configure Universal Group Membership Caching in Active Directory

List parameter aliases for a cmdlet

Determine the Forest and Domain functional levels with...

How to Export a Computer List from Active...

List and remove a function with PowerShell

How to Remove ‘Open PowerShell’ from Windows 10...

Options available for creating and managing the Azure...

Export list of all Active Directory Security Groups...

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

error: Alert: Content is protected !!