PowerShell by Patrik

Retrieve Password Expiration Date for AD User with PowerShell

This solution demonstrates how to retrieve the password expiration date of a user account in Active Directory using PowerShell. It uses the Get-ADUser cmdlet from the Active Directory module and queries the msDS-UserPasswordExpiryTimeComputed property, which holds the computed expiration date in FILETIME format.

If querying by -Identity returns an error such as "Cannot find an object with identity," switching to a -Filter approach with the SamAccountName is recommended. Also, ensure that the Active Directory module is imported, the domain context is correct, and the executing user has appropriate permissions.

# Import the Active Directory module if not already loaded
Import-Module ActiveDirectory

# Replace 'username' with the actual SamAccountName of the user
$user = Get-ADUser -Filter {SamAccountName -eq "username"} -Properties msDS-UserPasswordExpiryTimeComputed

# Convert the FILETIME to a readable DateTime object
$passwordExpiry = if ($user."msDS-UserPasswordExpiryTimeComputed") {
    [datetime]::FromFileTime($user."msDS-UserPasswordExpiryTimeComputed")
} else {
    "Password does not expire or no expiration set."
}

# Output the result
[PSCustomObject]@{
    UserName       = $user.SamAccountName
    PasswordExpiry = $passwordExpiry
}

Key Points:

  • Use -Filter with SamAccountName to avoid identity resolution issues.
  • The property msDS-UserPasswordExpiryTimeComputed returns the expiration time as FILETIME.
  • Convert FILETIME to DateTime for human-readable output.
  • Confirm the environment context and permissions to avoid access errors.
PowerShell
Active Directory
Password Expiration
ADUser
msDS-UserPasswordExpiryTimeComputed
Add to Set
Add to Set
Share
Share on Twitter Share on Facebook Share on LinkedIn Share on Reddit Share on WhatsApp Send via Email Copy Link to Clipboard
Referenced in:

Comments

Copyright © Snippset 2022. All Rights Reserved.