Active Directory: Password Expiration
Today's topic: Active Directory and Password Expiration!
Not being able to login due to an expired password is a very common scenario for Active Directory user administration.
If the password for a user is not set to never expire, then a group policy will most definitely make it expire after a period of time since the last change.
Our goal for today? We are going to create a report that will contain the setting for the expiration of the password, the time it was last set and the time since the change. To get that information we are going to use Powershell and the ActiveDirectory module.
All it takes is a singe Get-ADUser command to get the information from Active Directory piped to a Select-Object command in order to form the output:
But let's break it down a bit.
First, we are using the Get-ADUser cmdlet with the Filter parameter set to "*" in order to get all the users from Active Directory and their passwordlastset and passwordneverexpires attributes along with the standard ones. You should be very careful here not to overload your domain controllers.
Then, we pipe the output to the Select-Object cmdlet and we form a new property called "PasswordAge" of type TimeSpan that holds the time difference between the current time and the time the password was last set. This can be very useful when you have a GPO that sets the password expiration to a specific value, like 30 days from example.
You can do all sorts of things here, sort by the PasswordAge, include the mail attribute and send a message to the user or even filter on the passwordlastset or passwordneverexpires values to optimize the query.
Not being able to login due to an expired password is a very common scenario for Active Directory user administration.
If the password for a user is not set to never expire, then a group policy will most definitely make it expire after a period of time since the last change.
Our goal for today? We are going to create a report that will contain the setting for the expiration of the password, the time it was last set and the time since the change. To get that information we are going to use Powershell and the ActiveDirectory module.
All it takes is a singe Get-ADUser command to get the information from Active Directory piped to a Select-Object command in order to form the output:
Get-ADUser -Filter * -Properties passwordlastset, ` passwordneverexpires | Select-Object Name, ` SamAccountName, ` PasswordNeverExpires, ` PasswordLastSet, ` @{Name='PasswordAge'; Expression={New-TimeSpan $_.PasswordLastSet (Get-Date)}}
But let's break it down a bit.
First, we are using the Get-ADUser cmdlet with the Filter parameter set to "*" in order to get all the users from Active Directory and their passwordlastset and passwordneverexpires attributes along with the standard ones. You should be very careful here not to overload your domain controllers.
Then, we pipe the output to the Select-Object cmdlet and we form a new property called "PasswordAge" of type TimeSpan that holds the time difference between the current time and the time the password was last set. This can be very useful when you have a GPO that sets the password expiration to a specific value, like 30 days from example.
You can do all sorts of things here, sort by the PasswordAge, include the mail attribute and send a message to the user or even filter on the passwordlastset or passwordneverexpires values to optimize the query.