Active Directory – Check a users password status

by Posted on

Whilst Active Directory is a great tool for user management in a Windows environment, there are certain pieces of information that are not readily available.

In this post we will look into password values and how they can be extracted. For example, when is a users password likely to expire, if at all.

If we look directly in Active Directory, we see the following attributes:

badPasswordTime
badPasswordCount
pwdLastSet

Apparent by it’s absence is the value for when the password expires. This should be easy enough to calculate, pwdLastSet plus the number of days that a password is valid for within the password policy.

Why don’t we make our lives a little easier and use a Powershell command that doesn’t require the knowledge of the password expiration policy:

net user userID /domain

Here is the issue, whether on a workgroup (dropping the /domain switch) or on a Domain, the output is not very palatable:

It is an array that we can split off easily enough, but if we just wanted the value, for reuse, it gets a bit messy.

Instead, we will be using an Active Directory attribute that on the face of it seems to be ‘hidden’:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and sAMAccountName -eq "userID"} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="PasswordExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

This piece of code is all well and good, but what if we wanted to do something with the expiry date. Have it trigger and email alert for example. We would need to assign the output to a variable for reuse:

$expiryInfo = Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and sAMAccountName -eq "userID"} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="PasswordExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

The two values, DisplayName and PasswordExpiryDate can now be reused within Powershell as $expiryInfo.Displayname and $expiryInfo.PasswordExpiryDate.