Home / server / Questions / 723217
Accepted
Cranta Ionut
Asked: 2015-09-19 00:39:28 +0800 CST

Find out if password expired or when it expires for user in a specific OU

  • 772

Is there any powershell command that outputs the users that have their passwords expired from a specific organizational unit (OU).

If so can it be combined in a script with another command that outputs the time when it expires for all the users in the specific OU ?

Thank you.

active-directory

3 Answers

  1. Best Answer

    Get AD Users Password Expiration Report from Specific OU: 

    Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" | 
  Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
    Format-Table

    You may also take help from this blog which lets you how to email users a active directory password expiration notification and schedule reports, alerts and be compliant with all password expiration related tasks to save your time: http://www.symantec.com/connect/blogs/how-automate-password-change-notification-through-email

     

    • 5

  2. Users with expired passwords:

    Get-ADUser -SearchBase "ou=MyOU,dc=MyDomain,dc=Local" -filter * -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet | where {$_.Enabled -eq "True"} | where {$_.PasswordNeverExpires -eq $false} | where {$_.passwordexpired -eq $true}

    To get time when password expires you should get PasswordLastSet property and add MaxPasswordAge from domain policy (e.g. $DefaultmaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge).

    Please have a look at Password Expiry Email Notification script on TechNet: https://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27 Good sample for the subject.

    • 2

  3. To list enabled users with expired passwords in a specific OU:

    Get-ADUser -filter {Enabled -eq $True -and PasswordExpired -eq $True} -SearchBase "OU=Finance,OU=Users,DC=yourdomain,DC=com"

    To list enabled users within a specific OU with password expiration dates:

    Get-ADUser -filter {Enabled -eq $True} -SearchBase "OU=Finance,OU=Users,DC=yourdomain,DC=com" –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed"
|
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
    • 2