Last active
April 19, 2016 19:28
-
-
Save jarig/9970006 to your computer and use it in GitHub Desktop.
Find an User password expiration date in ActiveDirectory without installation of Remote Server Admin. Tools
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#params to set | |
$userAccountName=someAlias | |
$baseDN="DC=corp,DC=company" | |
# get domain password expiration info, | |
$baseDS = New-Object system.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$baseDN") | |
$dc = $baseDS.findone() | |
$maxPwdAgeInDays = convertTimeToDays ( $dc.properties.item("maxPwdAge")[0] ) | |
# find user | |
$userSearch = $baseDS | |
$userSearch.filter = “(&(objectClass=user)(sAMAccountName=$userAccountName))” | |
$userSearch.PropertiesToLoad.Add("msDS-ResultantPSO") | |
$userSearch.PropertiesToLoad.Add("pwdlastset") | |
$user = $userSearch.FindOne() | |
# find out password expiration date | |
[long]$time = [long][string]($user.properties.pwdlastset) | |
# check for advanced password policy | |
$advancedPasswordDomainPath = $user.properties.item("msDS-ResultantPSO") | |
if ( $advancedPasswordDomainPath -ne $null ) | |
{ | |
$searchForPassPolicy = New-Object system.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$advancedPasswordDomainPath") | |
$maxAge = $searchForPassPolicy.FindOne().Properties.item("msDS-MaximumPasswordAge")[0] | |
$maxPwdAgeInDays = convertTimeToDays ( $maxAge ) | |
} | |
$passwordSetDate = $([DateTime]$time).AddYears(1600).ToLocalTime() | |
$expirationDate = $passwordSetDate.AddDays($maxPwdAgeInDays) | |
$today = [DateTime]::Today | |
$timeLeftInDays = $expirationDate.Subtract($today).Days | |
Write-Host "Username: $userAccountName" | |
Write-Host "Password expiration time: $maxPwdAgeInDays days" | |
Write-Host "Password was set: $passwordSetDate" | |
Write-Host "Password expires: $expirationDate" | |
Write-Host "Time left: $timeLeftInDays" | |
# help functions | |
function convertTimeToDays ($value) | |
{ | |
[int64]$maxpwdage = [System.Math]::Abs( $value ) | |
return $maxpwdage/864000000000 | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you, was looking for a way to pull in the PSO maxpasswordage.
This line is giving an error
$maxAge = $searchForPassPolicy.FindOne().Properties.item("msDS-MaximumPasswordAge")[0]
error:
Exception calling "FindOne" with "0" argument(s): "The specified directory service attribute or value does not exist.
line: $advancedPasswordDomainPath = $user.properties.item("msDS-ResultantPSO") does give me the proper PSO.
Any help would be appreciated.
thanks,
mike