I’ve written about Get-ADUser before here and here where we used it to create a list of all users and display their homedrive, homedirectory and scriptpath properties.
In this post we’ll look retrieving password information to find out when a user last changed their password and if it is set to never expire.
As a quick recap, to view the available options with Get-ADUser type.
help Get-ADUser
Next we want to find out what the name of the properties of a user account we want to look at are called. So we will take a look at an individual user account in its entirety.
Get-ADUser -identity username -properties *
So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
So we can now see when a user last changed their password and if it is set to never expire.
To make things easier to find in a big environment you may want to sort the list by name.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires
And finally, lets export the list to CSV so we can work on it in Excel. In this example we substitute, format table (ft) for select-object.
Type: Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info-20131119.csv
Below are some links to invaluable Microsoft Technet references.
Get-ADUser can be found here: http://technet.microsoft.com/en-us/library/ee617241.aspx
Where cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee177028.aspx
Sort-Object cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176968.aspx
Select-Object cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176955.aspx
Export-csv cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176825.aspx
Related Posts:
1. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1
2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 2
3. PowerShell: Get-ADUser to retrieve disabled user accounts
5. PowerShell: How to add all users in an OU to a Security Group using Get-ADUser and Add-ADGroupMember
This is one of my most popular posts, so if you found it useful please share with your colleagues, like or leave a comment. Thanks, Carl.
On the subject of useful Active Directory tools, Mark Russinovich produced a set of excellent freeware utilities under the sysinternals brand that were bought in and supported by Microsoft, of which the Active Directory tools were a particular highlight. ADInsight and ADExplorer offer a useful GUI window on Active Directories, often offering more than the built-in Windows Server tools.
http://bit.ly/1hcS3Sl
Thanks Al, I’ll take a look at them.
http://gallery.technet.microsoft.com/scriptcenter/How-to-check-if-Active-f27b7d39
Thanks Vital, nice link.
Awesome. Thank you for this. Saved me a lot of time have to ISE a script myself!
Hi,
Is it possible that your script only list users, where the password will expires within the next 7 days ?
Hi Hans, I expect so but off the top of my head I don’t know how to do it. I’ll try and look into it, but in the meantime if you find a solution let me know. I think it could be useful.
Cheers,
Carl
Wow, thanks! You’ve saved me a lot of work and turned it into a matter of seconds!
How could I narrow this down to an OU and it’s sub-OUs?
Hi David, use the -SearchBase ‘OU=Head Office,DC=AD,DC=oxfordsbsguy,DC=com’
See the post here for an example:
https://www.oxfordsbsguy.com/2015/03/09/powershell-how-to-add-all-users-in-an-ou-to-a-security-group-using-get-aduser-and-add-adgroupmember/
Cheers,
Carl
Can you tell me how to convert the data shown in PasswordLastSet from the date to days?
What I need to see is how many days it has been since the user last reset their password
Thank you for this, it’s exactly what I need for a password change audit.
Thanks for this. Is there any method to check the last X number dates the password was changed or does AD only maintain the very last time? I would like to see the last 3 or 4 times when certain users changed the password for their account.
get-aduser and passwordlastset don’t seem to exist in powershell version 3,4,5. Please let me know how can i check password last reset date and passwordneverexpires attribute. i am using search-adaccount since get-aduser is not available for me.
Thanks for sharing this scripts with us. Why it doesn’t work want I add a filter to the query ?
PS C:\Users\toto> Get-ADUser -Filter {Enabled -eq “True”} -properties * | ft SamAccountName, DistinguishedName, PasswordLastSet
Get-ADUser : Error parsing query: ‘Enabled -eq “True”’ Error Message: ‘syntax error’ at position: ’13’.
At line:1 char:1
+ Get-ADUser -Filter {Enabled -eq “True”} -properties * | ft SamAccountName, Disti …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Manageme
nt.Commands.GetADUser
You need to add $_.Enabled instead of Enabled, so it’s -Filter {$_.Enabled -eq “True”}
#Here is my Powershell script that shows soon-to-be expiring passwords set between 85 and 90 days ago. I started at this website and hacked/researched away till I came up with this final solution below. I hope it helps save some other Powerhelp newbies some time.
import-module ActiveDirectory
$PwdDays = (Get-Date).AddDays(-85)
$PwdLimitDays = (Get-Date).AddDays(-91)
Get-ADUser -filter {(passwordlastset -le $PwdDays) -and (passwordlastset -ge $PwdLimitDays) -and (Enabled -eq “True”)} -properties passwordlastset, passwordneverexpires, LastLogonDate, mail | sort-object passwordlastset, name | select-object Name, passwordlastset, passwordneverexpires, LastLogonDate, mail, @{Name=”Days Ago”;Expression={([DateTime]::Now – $_.PasswordLastSet).Days}} | Export-csv -path c:\user-password-info-$(get-date -f yyyy-MM-dd).csv
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\vdulipala> import-module ActiveDirectory
>>
>> $PwdDays = (Get-Date).AddDays(-85)
>> $PwdLimitDays = (Get-Date).AddDays(-91)
>>
>> Get-ADUser -Server inforexternals.net -filter {(passwordlastset -le $PwdDays) -and (passwordlastset -ge $PwdLimitDays
) -and (Enabled -eq “True”)} -properties passwordlastset, passwordneverexpires, LastLogonDate, mail | sort-object passwo
rdlastset, name | select-object Name, passwordlastset, passwordneverexpires, LastLogonDate, mail, @{Name=”Days Ago”;Expr
ession={([DateTime]::Now – $_.PasswordLastSet).Days}} | Export-csv -path C:\Users\vdulipala\Desktop\passinfo1.csv
Get-ADUser : Error parsing query: ‘(passwordlastset -le $PwdDays) -and (passwordlastset -ge $PwdLimitDays) -and
(Enabled -eq “True”)’ Error Message: ‘syntax error’ at position: ’91’.
At line:6 char:1
+ Get-ADUser -Server inforexternals.net -filter {(passwordlastset -le $ …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Micr
osoft.ActiveDirectory.Management.Commands.GetADUser
PS C:\Users\vdulipala>
Getting this error please correct me where I am doing wrong..
Hello,
What can we do to users identified by the script that do not have the passwordlastset value, while in AD there is the value?
Same question for the passwordneverexpires
Thank for your help
What would the syntax look like if I wanted to exclude disabled users?
That’s awesome !
It made my day.
Though, prior to PS command, I use an automated solution named Lepide active directory auditing tool i.e, https://www.lepide.com/lepideauditor/active-directory-auditing.html which helps me to track and calculate every critical events into real time.
However, I have bookmarked this to further investigation.
Very useful, thanks!
It’s great for “password last set,” but just as useful is “When does password expire?” The two don’t always coincide.
And/or “Password already expired.” I find some users who, for some reason, don’t realize, “Oh, my password expired already – I guess I should have changed it 4 days ago, when it actually expired.” 🙂
Hello,
How can we explain “PasswordLastSet” 4/5/2000 when “whenCreated” is 10/27/2013?
Management is asking, and I don’t have a suitable answer.
Thanks.
Thank you for your article, it was very helpful.
Please let me know how to filter and show only active accounts and not disabled accounts.
Thank you,
Mani
Thanks! Great stuff, thanks for the writeup & sharing!