Tip: You can check the expiration date of a user’s password by using msDS-UserPasswordExpiryTimeComputed attribute.
msDS-UserPasswordExpiryTimeComputed
https://msdn.microsoft.com/en-us/library/cc223410.aspx
- It is a constructed attribute (it is not a “real” attribute but calculated when being queried)
- Automatically calculates the expiration password date and also taking in consideration Fine Grained Password Policies (FGPP)
- Simplify your code (no need to manually calculate so your code is easier to write and also faster)
|
1 2 3 4 5 6 7 8 9 |
function Get-ADUserPasswordExpiration { Param ( [string]$Identity ) [DateTime]::FromFileTime($((Get-ADUser -Identity $Identity -Properties 'msDS-UserPasswordExpiryTimeComputed').'msDS-UserPasswordExpiryTimeComputed')) } |
Note 1: When using “net user samAccountName /domain“, the value returned by “Password expires” doesn’t take in consideration the fine grained policies (net user samAccountName /domain is not reliable, you should rather use msDS-UserPasswordExpiryTimeComputed to get the correct and exact password expiration date).
Note 2: Get-ADUser is a cmdlet from the activediretory module.
Note 3 : To list all the Active Directory constructed attributes :
|
1 |
Get-ADObject -SearchBase (Get-ADRootDSE).SchemaNamingContext -LDAPFilter "(&(systemFlags:1.2.840.113556.1.4.803:=4)(ObjectClass=attributeSchema))" |
