Active Directory User Attribute (-PasswordExpired)

This topic contains 5 replies, has 4 voices, and was last updated by Profile photo of Christopher Christopher 2 weeks, 6 days ago.

  • Author
    Posts
  • #67810
    Profile photo of Christopher
    Christopher
    Participant

    Is there an updated switch list for -PasswordExpired?

    Has anyone effectively utilized a parameter to query user accounts with expired or passwords expiring using -PasswordExpired Cmdlet? I need to find expired passwords and/or passwords expiring in our organization not necessarily expiring accounts.

    There seems to be a lot over lapping with Cmdlets like -AccountExpired, -AccountExpiring, -Locked out etc... that confuses myself and the shell.

    Microsoft has also limited the search parameters for this cmdlet and the User attributes in Active Directory don't tend to play nice with the shell either.

  • #67812
    Profile photo of Zuldan
    Zuldan
    Participant

    Have a look at the code in this project.

    https://github.com/dbetteridge/PasswordExpiryDash

  • #67821
    Profile photo of Eric Bronnert
    Eric Bronnert
    Participant

    I actually just wrote this script something similar. Feel free to have a look.

    You can use a cmd line one liner
    net user yourusername /domain

    (leave the /domain part as is)
    
    This one liner will get you your data you need for the below script.
    
    
    Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Select-Object name, LastLogonDate, DistinguishedName | Export-Csv C:\ActiveNoExpiration2017.csv

    This script will basically scan a csv you point it to - to look for all accounts via DistinguishedName that have their passwords set to never expire - and "uncheck" this field within active directory - which depending on when the user last changed their password - will apply to the account instantly if it's expired according to your password expiration policy on your DC *note* I believe the header for your csv should either be "user" or "users". Try whichever one works. Also you'll need to delete the -whatif when your done testing and you're ready for the script to make the changes.

    ##ADCleanup - Password Expires = False ##
    ## CD into path where files are being executed##
    cd C:\users\yourusername\desktop\yourfile
    ## Import CSV with OU's for all usernames that need password set to expire MUST BE FULL OU PATH ##
    Import-CSV 'userlist.csv' | ForEach {
    Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false -CannotChangePassword $false -whatif
    }
  • #67825
    Profile photo of Eric Bronnert
    Eric Bronnert
    Participant

    I actually just wrote this script something similar. Feel free to have a look.

    You can use a cmd line one liner
    net user yourusername /domain

    (leave the /domain part as is)
    
    This one liner will get you your data you need for the below script.
    
    
    Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Select-Object name, LastLogonDate, DistinguishedName | Export-Csv C:\ActiveNoExpiration2017.csv

    This script will basically scan a csv you point it to - to look for all accounts via DistinguishedName that have their passwords set to never expire - and "uncheck" this field within active directory - which depending on when the user last changed their password - will apply to the account instantly if it's expired according to your password expiration policy on your DC *note* I believe the header for your csv should either be "user" or "users". Try whichever one works. Also you'll need to delete the -whatif when your done testing and you're ready for the script to make the changes.

    ##ADCleanup - Password Expires = False ##
    ## CD into path where files are being executed##
    cd C:\users\yourusername\desktop\yourfile
    ## Import CSV with OU's for all usernames that need password set to expire MUST BE FULL OU PATH ##
    Import-CSV 'userlist.csv' | ForEach {
    Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false -CannotChangePassword $false -whatif
    }

    Hope this helps!

    • #67891
      Profile photo of Christopher
      Christopher
      Participant

      For some reason or the other all of our accounts are set password never expires which makes this more difficult. At least from what I can tell in the attributes listing in ADUC. I will check with higher admins on password policy.

  • #67855
    Profile photo of Mark Prior
    Mark Prior
    Participant

    Not entirely sure what your after but maybe this will help ?

    
    Get-ADUser "username goes here"  –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” | Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}
    
    

You must be logged in to reply to this topic.