PowerShell: Get-ADUser to retrieve password last set and expiry information


I’ve written about Get-ADUser before here and here where we used it to create a list of all users and display their homedrive, homedirectory and scriptpath properties.

In this post we’ll look retrieving password information to find out when a user last changed their password and if it is set to never expire.

As a quick recap, to view the available options with Get-ADUser type.

help Get-ADUser

help get-aduser

Next we want to find out what the name of the properties of a user account we want to look at are called. So we will take a look at an individual user account in its entirety.

Get-ADUser -identity username -properties *

get-aduser properties

So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table.

Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

get-aduser properties passwordlastset passwordneverexpiresSo we can now see when a user last changed their password and if it is set to never expire.

To make things easier to find in a big environment you may want to sort the list by name.

Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires

get-aduser properties passwordlastset passwordneverexpires sortAnd finally, lets export the list to CSV so we can work on it in Excel. In this example we substitute, format table (ft) for select-object.

Type: Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info-20131119.csv

get-aduser properties passwordlastset passwordneverexpires csvBelow are some links to invaluable Microsoft Technet references.

Get-ADUser can be found here: http://technet.microsoft.com/en-us/library/ee617241.aspx

Where cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee177028.aspx

Sort-Object cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176968.aspx

Select-Object cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176955.aspx

Export-csv cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176825.aspx

Related Posts:

1. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1

2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 2

3. PowerShell: Identifying ActiveSync Devices with Get-ActiveSyncDevice for Exchange 2010

4. Exchange PowerShell: How to find users hidden from the Global Address List

5. How to install Exchange 2013 (SP1) on Windows Server 2012 R2

This is one of my most popular posts, so if you found it useful please share with your colleagues, like or leave a comment. Thanks, Carl.

If you found this post useful, please share!

    Related Posts

    20 thoughts on “PowerShell: Get-ADUser to retrieve password last set and expiry information

    1. Al McNicoll

      On the subject of useful Active Directory tools, Mark Russinovich produced a set of excellent freeware utilities under the sysinternals brand that were bought in and supported by Microsoft, of which the Active Directory tools were a particular highlight. ADInsight and ADExplorer offer a useful GUI window on Active Directories, often offering more than the built-in Windows Server tools.

      1. OxfordSBSguy.com

        Hi Hans, I expect so but off the top of my head I don’t know how to do it. I’ll try and look into it, but in the meantime if you find a solution let me know. I think it could be useful.


    2. Euric Dinkins

      Can you tell me how to convert the data shown in PasswordLastSet from the date to days?
      What I need to see is how many days it has been since the user last reset their password

    3. LazerTag

      Thanks for this. Is there any method to check the last X number dates the password was changed or does AD only maintain the very last time? I would like to see the last 3 or 4 times when certain users changed the password for their account.

    4. daniel

      get-aduser and passwordlastset don’t seem to exist in powershell version 3,4,5. Please let me know how can i check password last reset date and passwordneverexpires attribute. i am using search-adaccount since get-aduser is not available for me.

    5. Biyouk

      Thanks for sharing this scripts with us. Why it doesn’t work want I add a filter to the query ?

      PS C:\Users\toto> Get-ADUser -Filter {Enabled -eq “True”} -properties * | ft SamAccountName, DistinguishedName, PasswordLastSet

      Get-ADUser : Error parsing query: ‘Enabled -eq “True”’ Error Message: ‘syntax error’ at position: ’13’.
      At line:1 char:1
      + Get-ADUser -Filter {Enabled -eq “True”} -properties * | ft SamAccountName, Disti …
      + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      + CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException
      + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Manageme

    6. Allen

      #Here is my Powershell script that shows soon-to-be expiring passwords set between 85 and 90 days ago. I started at this website and hacked/researched away till I came up with this final solution below. I hope it helps save some other Powerhelp newbies some time.

      import-module ActiveDirectory

      $PwdDays = (Get-Date).AddDays(-85)
      $PwdLimitDays = (Get-Date).AddDays(-91)

      Get-ADUser -filter {(passwordlastset -le $PwdDays) -and (passwordlastset -ge $PwdLimitDays) -and (Enabled -eq “True”)} -properties passwordlastset, passwordneverexpires, LastLogonDate, mail | sort-object passwordlastset, name | select-object Name, passwordlastset, passwordneverexpires, LastLogonDate, mail, @{Name=”Days Ago”;Expression={([DateTime]::Now – $_.PasswordLastSet).Days}} | Export-csv -path c:\user-password-info-$(get-date -f yyyy-MM-dd).csv

    7. Sylvain

      What can we do to users identified by the script that do not have the passwordlastset value, while in AD there is the value?
      Same question for the passwordneverexpires

      Thank for your help


    Leave a Reply

    Your email address will not be published. Required fields are marked *