January 1, 2012 at 12:00 am

by jbiggerstaff at 2012-10-30 15:19:19

I know that I have at least 1 user object in my domain where passwordexpired = True. When I run a query it appears to crank away but then comes back with no results. I have tried:

This returns no results:
Get-ADUser -Filter 'passwordexpired -eq $true'

Interestingly, this returns all users, even those with expired passwords:
Get-ADUser -Filter 'passwordexpired -eq $false'

This returns nothing:
Get-ADUser -Filter * | where-object {$_.passwordexpired -eq $true}

Any idea how I can simply get all users in my domain with expired passwords? Doesn't seem like it should be that difficult.

by mikefrobbins at 2012-10-30 18:41:14

Get-ADUser is one of those cmdlets that's what I call "pre-filtered". It doesn't include the PasswordExpired property by default. You have to add it with the -Properties parameter. I've added a filter so it also only returns enabled users.

Get-ADUser -Filter {enabled -eq $true} -Properties PasswordExpired | Where-Object {$_.PasswordExpired}

by jbiggerstaff at 2012-10-31 09:20:27

That works! Thank you so much.