KB10109 - PS: Get AD Users With Expiring Password

General description

This article gives some hints how to retrieve users within Active Directory Domain Services (ADDS) that match the following criteria:

• Password was last set at least 70 days from today
• Password of the account is set to expire
• The user object is enabled
• The password was set by the user (so it is no initial password on the account)

It is a very helpful quick and dirty solution to find out those users...

---

Script code:

	
#Variables:
$MaxPWDAgeInDays = 70


Get-ADUser -Filter "pwdLastSet -lt $((Get-Date).AddDays((0-$MaxPWDAgeInDays)).ToFileTimeUTC()) -and pwdLastSet -ne 0 -and PasswordNeverExpires -eq 'False' -and enabled -eq 'true'" -Properties pwdLastSet | Sort-Object -Property pwdLastSet | Select-Object -Property Name, @{name='Password last set'; expression={[datetime]::fromFileTime($_.pwdLastSet)}}

# you can combine this with a SearchBase filter so only accounts below a given OU get displayed
Get-ADUser -SearchBase "OU=MyUsersOU,DC=MyDomain,DC=MyTLD" -Filter "pwdLastSet -lt $((Get-Date).AddDays((0-$MaxPWDAgeInDays)).ToFileTimeUTC()) -and pwdLastSet -ne 0 -and PasswordNeverExpires -eq 'False' -and enabled -eq 'true'" -Properties pwdLastSet | Sort-Object -Property pwdLastSet | Select-Object -Property Name, @{name='Password last set'; expression={[datetime]::fromFileTime($_.pwdLastSet)}}
	

---

>> syntax highlighting powered by highlight.js