Find AD accounts that will expiry in 31 days RRS feed

  • Question

  • Hi,

    I have a PS script that searches for AD user accounts that will expire within 31 days and sends email notification to the users and admins.

    Now, I'd like to modify it so it would find all AD accounts that will expiry exactly after 31 days (I'm going to create a scheduled task for it and run it every day)

    The line that do "searching" looks like that:

    $users = Search-ADAccount -UsersOnly -AccountExpiring -TimeSpan 31:0:0:0.0 -SearchBase "OU=TestOU,DC=clf,DC=internal"

    I guess I need to replace -TimeSpan with something else but I'm quite new to scripting so have no idea what that would be :-)


    Thursday, July 11, 2019 11:03 AM

All replies

  • Hi,

    -TimeSpan 31:0:0:0.0 is a Time Formated entry. Here 31 days. Change by the value you want.

    An another way is to define your parameters in the begining of the script in variables (variable always begins with $ caracter).

    $MaxDayBeforeExpiring = "31:0:0:0" # This variable is Time formated (DD:HH:m:s).

    $SearchBase = "OU=TestOU,DC=clf,DC=internal" # This variable define your search base

    By this way you have defined once for all time your conf. and if you want to change one of them, no needs to read all code, juste the variables in the beginning of the script and change them if necessary.

    And now, further in your script

    $users = Search-ADAccount -UsersOnly -AccountExpiring -TimeSpan $MaxDayBeforeExpiring -SearchBase $SearchBase

    With Powershell there are lot a way to reach a goal. Some are fastest, some are readest, some are for lazy admin (avoids repeating the same long parameters x times all along the script :-) ).


    Thursday, July 11, 2019 12:14 PM
  • It can be done using filter object on Get-ADUser, I was having one command hope it may help you to design your own:

    Get-ADUser -filter {Enabled -eq $True} -Properties pwdLastSet | select Name, @{name ="DaysLeft";expression={$((([datetime]::FromFileTime($_.pwdLastSet)).AddDays((Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.days)- (Get-Date)).Days)}} | ?{$_.DaysLeft -eq 31}

    You can use -SearchBase to specify the OU in the command. You might not be able to get the desired result with Search-ADAccount -TimeSpan

    • Edited by DumbleD0re Thursday, July 11, 2019 12:44 PM
    Thursday, July 11, 2019 12:41 PM
  • Thanks for all responses.

    Just to make it clear, I'm not trying to find password expiry dates but AD accounts that will expiry on 31 days from today. So if I ran my script today I'd like it to find accounts that will expiry exactly on 17th of August 2019.

    Wednesday, July 17, 2019 7:31 AM
  • Just test the Expiry date of the account

    [datetime]::Today.AddDays(31).Date -eq $account.AccountExpirationDate.Date


    Wednesday, July 17, 2019 7:52 AM
  • Just test the Expiry date of the account

    [datetime]::Today.AddDays(31).Date -eq $account.AccountExpirationDate.Date


    Where do I put it in my script? Sorry, for silly question. I'm kind of new to the scripting...
    Wednesday, July 17, 2019 8:45 AM
  • Put it in the filter.


    Wednesday, July 17, 2019 8:47 AM
  • How do I do it? Do I just replace -TimeSpan with it?
    Wednesday, July 17, 2019 9:51 AM
  • As noted above you have t use "Get-AdUSer" for this.

    help get-aduser -online


    Wednesday, July 17, 2019 9:53 AM