Password expire script more than 6 months in AD

    General discussion

  • Hi Team,

    Please somebody let me know the powershell script to pull whose password has been exipred more than 6 months in active directory. I need only the list of users whose password has been exipred morethan 6 months.


    Wednesday, December 21, 2016 12:41 PM

All replies

  • import-module activedirectory
    $reportObject = @()
    $userList = get-aduser -filter {Enabled -eq $True -and PasswordNeverExpires -eq  $False } -Properties displayname, passwordexpired,"msDS-UserPasswordExpiryTimeComputed",logoncount,passwordlastset, badlogoncount,lastbadpasswordattempt,mail | select displayname, passwordexpired,"msDS-UserPasswordExpiryTimeComputed",logoncount,passwordlastset, badlogoncount,lastbadpasswordattempt,mail | sort-object msDS-UserPasswordExpiryTimeComputed -descending
    $obj = new-object PSobject
    foreach ($user in $userList) {
    $outputexp = ([datetime]::FromFileTime($user."msDS-UserPasswordExpiryTimeComputed"))
    $dateExpire= $outputexp
    $dateshort= $TodayDate
    if ($dateExpire -lt ([datetime]::Today).AddDays(7)) {
    $obj = new-object PSobject
    	$obj | add-member noteproperty Name($user.displayname)
    	$obj | add-member noteproperty Expired($user.Passwordexpired)
    	$obj | add-member noteproperty 'Expire date'($outputexp)
    	$obj | add-member noteproperty 'Logon Count'($user.logoncount)
    	$obj | add-member noteproperty 'Last Set'($user.PasswordLastSet)
    	$obj | add-member noteproperty 'Bad Count'($user.badlogoncount)
    	$obj | add-member noteproperty 'Bad Attempt'($user.lastbadpasswordattempt)
    	$obj | add-member noteproperty 'Mail'($user.mail)
    $reportObject += $obj}
    Had this laying around it will show password expired less than 7 days change the if condition for -gt 150 days or whatever, additional info included in output.
    Wednesday, December 21, 2016 1:24 PM
  • I would suggest using the Get-ADUser PowerShell cmdlet, and use the PasswordLastSet property. For example:

    I think something similar to below will give you what you want:

    # Retrieve domain maximum password age policy, in days.
    $MaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
    # Find the date that many days in the past.
    $Date1 = (Get-Date).AddDays(-$MaxPasswordAge)
    # Find the date 182 days further in the past. Any user with pwdLastSet older than this
    # has had an expired password for the past 6 months.
    $Date2 = ($Date1).AddDays(-182)
    # Find all enabled users with passwords that can expire and the password has been expired for at least 6 months.
    Get-ADUser -Filter {Enabled -eq $True -And PasswordNeverExpires -eq $False -And PasswordLastSet -lt $Date2} -Properties PasswordLastSet

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, December 21, 2016 2:03 PM
  • Seems like, above scripts should help you to get the desired result of password expiration.

    Alternatively, you can try using this password expiration reminder tool which helps to fetch such expired password reports in real time.

    Thursday, December 22, 2016 7:08 AM