[Get Active Directory User Password Expiration] #powershell #windows #activedirectory #usermanagement

Get-ADUserPasswordExpiration.ps1

# Get the date and time of an Active Directory user account given the username
#
# If the password is going to expire in the next 30 days the script will exit with
# 1, otherwise it will exit with 0.
# If the password is set to never expire, the script will return "Never"
# If the user account is not found, the script will return "Not Found
# Usage: Get-ADUserPasswordExpiration.ps1 -Identity <username>
# Example: Get-ADUserPasswordExpiration.ps1 -Identity jsmith

[CmdletBinding()]
Param(
    [Parameter(Mandatory = $true, ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
    [string]$UserName
)

$ADUser = (Get-ADUser -Filter { SamAccountName -eq $UserName } -Properties msDS-UserPasswordExpiryTimeComputed, PasswordNeverExpires -ErrorAction SilentlyContinue)
$expiryTimeComputed = ($ADUser | Select-Object -ExpandProperty msds-userpasswordExpiryTimeComputed -ErrorAction SilentlyContinue)
$PasswordNeverExpires = ($ADUser | Select-Object -ExpandProperty PasswordNeverExpires -ErrorAction SilentlyContinue)

if ($null -eq $ADUser) {
    Write-Host 'Not Found'
    exit 1
}

if ($PasswordNeverExpires -eq $true) {
    Write-Host 'Never'
    exit 0
} else {
    $passwordExpirationDate = [DateTime]::FromFileTime($expiryTimeComputed)
    $timeUntilExpiration = $passwordExpirationDate - (Get-Date)
    
    Write-Host $passwordExpirationDate.ToString('MM/dd/yyyy hh:mm:ss tt')

    if ($timeUntilExpiration.Days -le 30) {
        exit 1
    } else {
        exit 0
    }
}