AD Password Expiration - script.

AD guru's. I'm not a guru of AD myself - I know A LOT about AD, but when it comes to scripting, I'm not that great.

Does anyone know of any type of script I can run to find out when a particular AD account is going to expire? I'm running a mixture of 2003 and 2008, so it would be helpful if the command will run on both platforms.

Thanks!

Find more posts tagged with

Comments

Akaricloud

I've always used Microsoft's Lockout Status utility that they have available for download.

From this you can see when the password was set, and how long the expiration period is.

JasminLandry

I believe your best option would be PowerShell. You can definitely get what you want with this.

lsud00d

Akaricloud wrote: »

I've always used Microsoft's Lockout Status utility that they have available for download.

From this you can see when the password was set, and how long the expiration period is.

via PoSH (and @Akaricloud's suggestion in two one-liners)

> import-module ActiveDirectory
> get-aduser -identity (username) -properties * | select passwordlastset
> get-addefaultdomainpasswordpolicy | select maxpasswordage

I don't feel like writing a script to do the math between the two since one is a date object and the other is a time reference so...do the math in your head

Qord

What would the end result be? Are you looking for something you can just feed a username to and get that result, or are you looking to make a report on all AD user objects? As long as you've got a 2008 domain controller to talk to, I don't think this would be difficult at all. Do you have the RSAT installed on the computer you plan to run this from?