Last active
July 10, 2017 20:39
-
-
Save IISResetMe/903beb88618988c2b6ccc0bf84f5cd43 to your computer and use it in GitHub Desktop.
Password expiration function that takes fine-grained password policies into account
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Requires -Modules ActiveDirectory | |
function Get-ADUserPasswordExpiration | |
{ | |
param( | |
[Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] | |
[Alias('DistinguishedName')] | |
[Microsoft.ActiveDirectory.Management.ADUser[]]$Identity | |
) | |
begin{ | |
try{ | |
$DefaultPasswordPolicy = Get-ADDefaultDomainPasswordPolicy | |
} | |
catch{ | |
throw $_ | |
return | |
} | |
$CacheTable = @{} | |
} | |
process{ | |
foreach($Id in $Identity){ | |
# Prepare result object | |
$Result = [pscustomobject]@{ | |
User = $Id | |
Expires = [datetime]0 | |
} | |
# Attempt to retrieve required attribute values for target user object | |
try{ | |
$TargetUser = Get-ADUser $Id -Properties 'msDS-ResultantPSO','pwdLastSet' -ErrorAction Stop | |
} | |
catch{ | |
throw $_ | |
continue | |
} | |
# Attempt to calculate DateTime for when password was set, return default result otherwise | |
if($TargetUser.Contains('pwdLastSet')){ | |
$userPasswordLastSet = [datetime]::FromFileTime($TargetUser.pwdLastSet) | |
} | |
else{ | |
Write-Output $Result | |
} | |
# Retrieve resultant PSO or default to default password policy, grab MaxPasswordAge | |
$passwordPolicyMaxAge = $(if($TargetUser.Contains('msDS-ResultantPSO')){ | |
$PSODN = $TargetUser.'msDS-ResultantPSO' | |
# Check if we already have a cached copy of the PSO object | |
if($CacheTable.ContainsKey($PSODN)){ | |
$CacheTable[$PSODN] | |
} | |
else{ | |
($CacheTable[$PSODN] = Get-ADFineGrainedPasswordPolicy -Identity $TargetUser.'msDS-ResultantPSO') | |
} | |
} | |
else{ | |
$DefaultPasswordPolicy | |
}) |Select-Object -ExpandProperty MaxPasswordAge | |
# Modify result object, return to caller | |
$Result.Expires = $userPasswordLastSet + $passwordPolicyMaxAge | |
Write-Output $Result | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment