After brewing my favorite coffee variety at home a client emailed me asking if there’s a way to get password age for the Active Directory users in her small company. This was for about 80 users. To be honest, I have not touched AD in a while. But, I found some clues for getting password Age using Powershell in Windows Server.

I found some magic in getting password Age using Powershell. A very simple command to get all users with their passwordlastset and passwordneverexpires:

Get-ADUser -Filter * -Properties passwordlastset, passwordneverexpires | ft name, passwordlastset, passwordneverexpires

You can also send the results to a CSV file:

Get-ADUser -Filter * -Properties passwordlastset, passwordneverexpires | select name, passwordlastset, passwordneverexpires |Export-CSV -Path c:\users.csv -Encoding utf8

You can also exclude users that password never expires:

Get-ADUser -Filter * -Properties passwordlastset, passwordneverexpires | where {$_.passwordNeverExpires -eq $false } | select name, passwordlastset, passwordneverexpires

But, to really fined tune the Powershell command you can use the below. It will give you a list of all users and the exact password expiration date:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

I hope this brief tutorial can help someone out there. If you have other ideas please share them in the comments section below. Thank you for your support!

Leave a comment

Your email address will not be published. Required fields are marked *