locked
Password Expirations RRS feed

  • Question

  • I need to be able to run a report that will give me a list of users whose passwords will expire in a given date range. Example would be during the month of August.

    I support 80,000 users and have found scripts that will report on each user's expiration date but i don't need something that big.

    Any help is greatly appreciated.

    Thanks

    Tuesday, July 21, 2020 12:21 PM

All replies

  • Hi,

    the problem with password expiration is, AD does not store that. Instead, the last password change and maximum password age are stored so technically, a password does not 'expire' until a login is attempted for that account.

    If you are positive that there are no Fine Grained Password Policies in your environment, then, instead of 'Expires in August' you just look for 'Last change in August-max age'. So, assuming that your max password age is 90 days, you're looking for accounts with pwdLastSet between (1st Aug - 90 Days) and (30th Aug - 90 days):

    $start = (Get-Date '01.08.2020 00:00:00').AddDays(-90).ToFileTimeUtc()
    $end = (Get-Date '30.08.2020 23:59:59').AddDays(-90).ToFileTimeUtc()
    Get-ADUser -LDAPFilter "(&(pwdLastSet>=$start)(pwdLastSet<=$end))" 

    The dates are in German locale, you need to adjust that to yours as needed ;-)

    If you have FGPP in place, you'll have to consider the policies, their superposition etc. in your calculations.


    Evgenij Smirnov

    http://evgenij.smirnov.de


    Tuesday, July 21, 2020 1:35 PM