Author Posts

April 3, 2017 at 7:35 pm

Is there an updated switch list for -PasswordExpired?

Has anyone effectively utilized a parameter to query user accounts with expired or passwords expiring using -PasswordExpired Cmdlet? I need to find expired passwords and/or passwords expiring in our organization not necessarily expiring accounts.

There seems to be a lot over lapping with Cmdlets like -AccountExpired, -AccountExpiring, -Locked out etc... that confuses myself and the shell.

Microsoft has also limited the search parameters for this cmdlet and the User attributes in Active Directory don't tend to play nice with the shell either.

April 3, 2017 at 9:01 pm

I actually just wrote this script something similar. Feel free to have a look.

You can use a cmd line one liner
net user yourusername /domain

(leave the /domain part as is)

This one liner will get you your data you need for the below script.

Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Select-Object name, LastLogonDate, DistinguishedName | Export-Csv C:\ActiveNoExpiration2017.csv

This script will basically scan a csv you point it to - to look for all accounts via DistinguishedName that have their passwords set to never expire - and "uncheck" this field within active directory - which depending on when the user last changed their password - will apply to the account instantly if it's expired according to your password expiration policy on your DC *note* I believe the header for your csv should either be "user" or "users". Try whichever one works. Also you'll need to delete the -whatif when your done testing and you're ready for the script to make the changes.

##ADCleanup - Password Expires = False ##
## CD into path where files are being executed##
cd C:\users\yourusername\desktop\yourfile
## Import CSV with OU's for all usernames that need password set to expire MUST BE FULL OU PATH ##
Import-CSV 'userlist.csv' | ForEach {
Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false -CannotChangePassword $false -whatif
}

April 3, 2017 at 9:18 pm

I actually just wrote this script something similar. Feel free to have a look.

You can use a cmd line one liner
net user yourusername /domain

(leave the /domain part as is)

This one liner will get you your data you need for the below script.

Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $true} | Select-Object name, LastLogonDate, DistinguishedName | Export-Csv C:\ActiveNoExpiration2017.csv

This script will basically scan a csv you point it to - to look for all accounts via DistinguishedName that have their passwords set to never expire - and "uncheck" this field within active directory - which depending on when the user last changed their password - will apply to the account instantly if it's expired according to your password expiration policy on your DC *note* I believe the header for your csv should either be "user" or "users". Try whichever one works. Also you'll need to delete the -whatif when your done testing and you're ready for the script to make the changes.

##ADCleanup - Password Expires = False ##
## CD into path where files are being executed##
cd C:\users\yourusername\desktop\yourfile
## Import CSV with OU's for all usernames that need password set to expire MUST BE FULL OU PATH ##
Import-CSV 'userlist.csv' | ForEach {
Set-ADUser -Identity $_.DistinguishedName -PasswordNeverExpires $false -CannotChangePassword $false -whatif
}

Hope this helps!

April 4, 2017 at 9:06 am

Not entirely sure what your after but maybe this will help ?


Get-ADUser "username goes here"  –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” | Select-Object -Property “Displayname”,@{Name=“ExpiryDate”;Expression={[datetime]::FromFileTime($_.“msDS-UserPasswordExpiryTimeComputed”)}}

April 4, 2017 at 6:04 pm

For some reason or the other all of our accounts are set password never expires which makes this more difficult. At least from what I can tell in the attributes listing in ADUC. I will check with higher admins on password policy.