IISResetMe/Get-ADUserPasswordExpiration.ps1

## Get-ADUserPasswordExpiration.ps1
#Requires -Modules ActiveDirectory

function Get-ADUserPasswordExpiration
{
    param(
        [Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
        [Alias('DistinguishedName')]
        [Microsoft.ActiveDirectory.Management.ADUser[]]$Identity
    )

    begin{
        try{
            $DefaultPasswordPolicy = Get-ADDefaultDomainPasswordPolicy
        }
        catch{
            throw $_
            return
        }

        $CacheTable = @{}
    }

    process{
        foreach($Id in $Identity){
            # Prepare result object
            $Result = [pscustomobject]@{
                User = $Id
                Expires = [datetime]0
            }

            # Attempt to retrieve required attribute values for target user object
            try{
                $TargetUser = Get-ADUser $Id -Properties 'msDS-ResultantPSO','pwdLastSet' -ErrorAction Stop
            }
            catch{
                throw $_
                continue
            }

            # Attempt to calculate DateTime for when password was set, return default result otherwise
            if($TargetUser.Contains('pwdLastSet')){
                $userPasswordLastSet = [datetime]::FromFileTime($TargetUser.pwdLastSet)
            }
            else{
                Write-Output $Result
            }

            # Retrieve resultant PSO or default to default password policy, grab MaxPasswordAge
            $passwordPolicyMaxAge = $(if($TargetUser.Contains('msDS-ResultantPSO')){
                $PSODN = $TargetUser.'msDS-ResultantPSO'
                # Check if we already have a cached copy of the PSO object
                if($CacheTable.ContainsKey($PSODN)){
                    $CacheTable[$PSODN]
                }
                else{
                    ($CacheTable[$PSODN] = Get-ADFineGrainedPasswordPolicy -Identity $TargetUser.'msDS-ResultantPSO')
                }
            }
            else{
                $DefaultPasswordPolicy
            }) |Select-Object -ExpandProperty MaxPasswordAge

            # Modify result object, return to caller
            $Result.Expires = $userPasswordLastSet + $passwordPolicyMaxAge
            Write-Output $Result
        }
    }
}
	#Requires -Modules ActiveDirectory

	function Get-ADUserPasswordExpiration
	{
	param(
	[Parameter(Mandatory=$true,ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
	[Alias('DistinguishedName')]
	[Microsoft.ActiveDirectory.Management.ADUser[]]$Identity
	)

	begin{
	try{
	$DefaultPasswordPolicy = Get-ADDefaultDomainPasswordPolicy
	}
	catch{
	throw $_
	return
	}

	$CacheTable = @{}
	}

	process{
	foreach($Id in $Identity){
	# Prepare result object
	$Result = [pscustomobject]@{
	User = $Id
	Expires = [datetime]0
	}

	# Attempt to retrieve required attribute values for target user object
	try{
	$TargetUser = Get-ADUser $Id -Properties 'msDS-ResultantPSO','pwdLastSet' -ErrorAction Stop
	}
	catch{
	throw $_
	continue
	}

	# Attempt to calculate DateTime for when password was set, return default result otherwise
	if($TargetUser.Contains('pwdLastSet')){
	$userPasswordLastSet = [datetime]::FromFileTime($TargetUser.pwdLastSet)
	}
	else{
	Write-Output $Result
	}

	# Retrieve resultant PSO or default to default password policy, grab MaxPasswordAge
	$passwordPolicyMaxAge = $(if($TargetUser.Contains('msDS-ResultantPSO')){
	$PSODN = $TargetUser.'msDS-ResultantPSO'
	# Check if we already have a cached copy of the PSO object
	if($CacheTable.ContainsKey($PSODN)){
	$CacheTable[$PSODN]
	}
	else{
	($CacheTable[$PSODN] = Get-ADFineGrainedPasswordPolicy -Identity $TargetUser.'msDS-ResultantPSO')
	}
	}
	else{
	$DefaultPasswordPolicy
	}) \|Select-Object -ExpandProperty MaxPasswordAge

	# Modify result object, return to caller
	$Result.Expires = $userPasswordLastSet + $passwordPolicyMaxAge
	Write-Output $Result
	}
	}
	}