Skip to content

Instantly share code, notes, and snippets.

@jarig
Last active April 19, 2016 19:28
Show Gist options
  • Save jarig/9970006 to your computer and use it in GitHub Desktop.
Save jarig/9970006 to your computer and use it in GitHub Desktop.
Find an User password expiration date in ActiveDirectory without installation of Remote Server Admin. Tools
#params to set
$userAccountName=someAlias
$baseDN="DC=corp,DC=company"
# get domain password expiration info,
$baseDS = New-Object system.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$baseDN")
$dc = $baseDS.findone()
$maxPwdAgeInDays = convertTimeToDays ( $dc.properties.item("maxPwdAge")[0] )
# find user
$userSearch = $baseDS
$userSearch.filter = “(&(objectClass=user)(sAMAccountName=$userAccountName))”
$userSearch.PropertiesToLoad.Add("msDS-ResultantPSO")
$userSearch.PropertiesToLoad.Add("pwdlastset")
$user = $userSearch.FindOne()
# find out password expiration date
[long]$time = [long][string]($user.properties.pwdlastset)
# check for advanced password policy
$advancedPasswordDomainPath = $user.properties.item("msDS-ResultantPSO")
if ( $advancedPasswordDomainPath -ne $null )
{
$searchForPassPolicy = New-Object system.DirectoryServices.DirectorySearcher([ADSI]"LDAP://$advancedPasswordDomainPath")
$maxAge = $searchForPassPolicy.FindOne().Properties.item("msDS-MaximumPasswordAge")[0]
$maxPwdAgeInDays = convertTimeToDays ( $maxAge )
}
$passwordSetDate = $([DateTime]$time).AddYears(1600).ToLocalTime()
$expirationDate = $passwordSetDate.AddDays($maxPwdAgeInDays)
$today = [DateTime]::Today
$timeLeftInDays = $expirationDate.Subtract($today).Days
Write-Host "Username: $userAccountName"
Write-Host "Password expiration time: $maxPwdAgeInDays days"
Write-Host "Password was set: $passwordSetDate"
Write-Host "Password expires: $expirationDate"
Write-Host "Time left: $timeLeftInDays"
# help functions
function convertTimeToDays ($value)
{
[int64]$maxpwdage = [System.Math]::Abs( $value )
return $maxpwdage/864000000000
}
@mlcounts
Copy link

Thank you, was looking for a way to pull in the PSO maxpasswordage.
This line is giving an error
$maxAge = $searchForPassPolicy.FindOne().Properties.item("msDS-MaximumPasswordAge")[0]

error:
Exception calling "FindOne" with "0" argument(s): "The specified directory service attribute or value does not exist.

line: $advancedPasswordDomainPath = $user.properties.item("msDS-ResultantPSO") does give me the proper PSO.
Any help would be appreciated.
thanks,
mike

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment