Odd date behavior with Get-ADUser

Welcome Forums General PowerShell Q&A Odd date behavior with Get-ADUser

Viewing 4 reply threads
  • Author
    Posts
    • #189160
      Participant
      Topics: 3
      Replies: 43
      Points: 77
      Rank: Member

      This command produces the output of an ID and the date the password will expire.

      Get-ADUser -ID MyID –Properties * | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

      The output is as follows and is incorrect:

      Displayname ExpiryDate
      ----------- ----------`
      John M      12/31/1600 7:00:00 PM

      However if I specify the property explicitly in with the -Props, the correct information is produced:

      Get-ADUser -ID MyID –Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
      Displayname ExpiryDate
      ----------- ----------
      John M      12/8/2019 6:59:55 AM

      Any ideas?  I am fine with using the correct properties in the command, just curious why the wildcard * produces the wrong result.

    • #189172
      js
      Participant
      Topics: 27
      Replies: 716
      Points: 1,879
      Helping Hand
      Rank: Community Hero

      Looks like properties * doesn't return msDS-UserPasswordExpiryTimeComputed.

      • #189196
        Participant
        Topics: 3
        Replies: 43
        Points: 77
        Rank: Member

        so simple

    • #189175
      Participant
      Topics: 4
      Replies: 94
      Points: 187
      Helping Hand
      Rank: Participant

      This was a cool question! I've never had problem with this as I try to avoid using *, but!
      It looks like the * is pre-defined with 156 properties when there is actually more. I found this script to bring all the types

      
      $properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain |
      Select-Object @{name="Properties";expression={$_.maycontain+$_.systemmaycontain}} |
      Select-Object -ExpandProperty Properties
      
      $properties.count
      165
      
      $bom = get-aduser myuser -prop *
      ($bom | gm | Where {$_.membertype -eq 'property'}).count
      156
      
      

      And this seems to be a rabbit hole. Needs to be dig deeper. Someone wiser could come to rescue me 🙂

    • #189496
      Participant
      Topics: 0
      Replies: 5
      Points: 7
      Rank: Member

      Interesting. I had always assumed when that funky date was returned, it implied the user had never logged in. In my environment, this assumption is accurate. Could that be your case as well?

    • #189769
      Participant
      Topics: 0
      Replies: 11
      Points: 55
      Helping Hand
      Rank: Member

      Search-ADAccount -AccountExpiring | select name,AccountExpirationDate

      Use that instead.  I had to adapt a lot of scripts after some PS update, I think it came out when Server 2012R2 did, but I forget the exact time.

Viewing 4 reply threads
  • You must be logged in to reply to this topic.