AD Password Expiration - script.

MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
AD guru's. I'm not a guru of AD myself - I know A LOT about AD, but when it comes to scripting, I'm not that great.

Does anyone know of any type of script I can run to find out when a particular AD account is going to expire? I'm running a mixture of 2003 and 2008, so it would be helpful if the command will run on both platforms.

Thanks!
2017 Certification Goals:
CCNP R/S

Comments

  • AkaricloudAkaricloud Member Posts: 938
    I've always used Microsoft's Lockout Status utility that they have available for download.

    From this you can see when the password was set, and how long the expiration period is.
  • JasminLandryJasminLandry Member Posts: 601 ■■■□□□□□□□
    I believe your best option would be PowerShell. You can definitely get what you want with this.
  • lsud00dlsud00d Member Posts: 1,571
    Akaricloud wrote: »
    I've always used Microsoft's Lockout Status utility that they have available for download.

    From this you can see when the password was set, and how long the expiration period is.

    via PoSH (and @Akaricloud's suggestion in two one-liners)

    > import-module ActiveDirectory
    > get-aduser -identity (username) -properties * | select passwordlastset
    > get-addefaultdomainpasswordpolicy | select maxpasswordage

    I don't feel like writing a script to do the math between the two since one is a date object and the other is a time reference so...do the math in your head icon_wink.gif
  • QordQord Member Posts: 632 ■■■■□□□□□□
    What would the end result be? Are you looking for something you can just feed a username to and get that result, or are you looking to make a report on all AD user objects? As long as you've got a 2008 domain controller to talk to, I don't think this would be difficult at all. Do you have the RSAT installed on the computer you plan to run this from?
Sign In or Register to comment.