Tip: You can check the expiration date of a user’s password by using msDS-UserPasswordExpiryTimeComputed attribute.
- It is a constructed attribute (it is not a “real” attribute but calculated when being queried)
- Automatically calculates the expiration password date and also taking in consideration Fine Grained Password Policies (FGPP)
- Simplify your code (no need to manually calculate so your code is easier to write and also faster)
[DateTime]::FromFileTime($((Get-ADUser -Identity $Identity -Properties 'msDS-UserPasswordExpiryTimeComputed').'msDS-UserPasswordExpiryTimeComputed'))
Note 1: When using “net user samAccountName /domain“, the value returned by “Password expires” doesn’t take in consideration the fine grained policies (net user samAccountName /domain is not reliable, you should rather use msDS-UserPasswordExpiryTimeComputed to get the correct and exact password expiration date).
Note 2: Get-ADUser is a cmdlet from the activediretory module.
Note 3 : To list all the Active Directory constructed attributes :
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(&(systemFlags:1.2.840.1135220.127.116.113:=4)(ObjectClass=attributeSchema))"