In Active Directory environment users have to update their passwords when its expire. In some occasions, it is important to know when user password will expire.
For user account, the value for the next password change is saved under the attribute msDS-UserPasswordExpiryTimeComputed
We can view this value for a user account using a PowerShell command like following,
Get-ADuser R564441 -Properties msDS-UserPasswordExpiryTimeComputed | select Name, msDS-UserPasswordExpiryTimeComputed
In above command, I am trying to find out the msDS-UserPasswordExpiryTimeComputed
attribute for the user R564441. In output I am listing value of Name attribute and msDS-UserPasswordExpiryTimeComputed
In my example, it gave 131412469385705537 but it’s not mean anything. We need to convert it to readable format.
I can do it using,
Get-ADuser R564441 -Properties msDS-UserPasswordExpiryTimeComputed | select Name, {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}
In above the value was converted to datetime format and now its gives readable value.
We can further develop this to provide report or send automatic reminders to users. I wrote following PowerShell script to generate a report regarding all the users in AD.
$passwordexpired = $null
$dc = (Get-ADDomain | Select DNSRoot).DNSRoot
$Report= "C:\report.html"
$HTML=@"
<title>Password Validity Period For $dc</title>
<style>
BODY{background-color :LightBlue}
</style>
"@
$passwordexpired = Get-ADUser -filter * –Properties "SamAccountName","pwdLastSet","msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "SamAccountName",@{Name="Last Password Change";Expression={[datetime]::FromFileTime($_."pwdLastSet")}},@{Name="Next Password Change";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
$passwordexpired | ConvertTo-Html -Property "SamAccountName","Last Password Change","Next Password Change"-head $HTML -body "<H2> Password Validity Period For $dc</H2>"|
Out-File $Report
Invoke-Expression C:\report.html
This creates HTML report as following. It contains user name, last password change time and date and time it going to expire.
The attributes value I used in here is SamAccountName, pwdLastSet and msDS-UserPasswordExpiryTimeComputed. pwdLastSet attribute holds the value for last password reset time and date.
Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.