Lerch Web Wiki

Random, erratic, no responsibility is taken for the correctness of this information

User Tools

Site Tools


powershell:ad:pwexpiration

Show Password Expiration Date

Short PowerShell sample to calculate the expiration date of a users password. The script evaluates the domain password policy as well als fine grained password policy (if any) and the user account control flag password never expires.

Show-PasswordExpirationDate.ps1
function Show-PasswordExpirationDate {
    param(
        [string]$SamAccountName
    )
    $user = Get-ADUser -Identity $SamAccountName -Properties PasswordLastSet,PasswordNeverExpires
    $MaxPWAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
    $MaxPWAgeFGPP = (Get-ADUserResultantPasswordPolicy -Identity $SamAccountName).MaxPasswordAge 
    if($MaxPWAgeFGPP){
        $FGPPActive = $true
    }
    else{
        $FGPPActive = $false
    }
    try { 
        $pwlastSet = Get-Date ($user).PasswordLastSet
        if($user.PasswordNeverExpires){
            $ExpirationDate = "Password Never Expires"
        }
        else{
            if($MaxPWAgeFGPP){
                $ExpirationDate = $pwlastSet + $MaxPWAgeFGPP
            }
            else{
                $ExpirationDate = $pwlastSet + $MaxPWAge
            }
        }
    }
    catch {
        $pwlastSet = "never"
    }
    $objResult = New-Object System.Object | Select-Object -Property SamAccountName,PWExpires,FGP_Present
    $objResult.SamAccountNAme = $SamAccountName
    $objResult.PWExpires = $ExpirationDate
    $objResult.FGPPPresent = $FGPPActive
    $objResult 
}
get-aduser -filter * | ForEach-Object { Show-PasswordExpirationDate -SamAccountName $_.SamAccountName } 
powershell/ad/pwexpiration.txt · Last modified: 2017/02/27 09:18 by marcus