Written by Luke

How to find a user’s password expiration date with PowerShell

Retrieve the information

This information can be found in the user’s Active Directory’s objects with the Get-ADUser cmdlet.
However, the msDS-UserPasswordExpiryTimeComputed attribute is a constructed attribute. According to Microsoft:

Constructed attributes have the property that they are attributes for which the attribute value is computed by using other attributes, sometimes from other objects.

And because it is a constructed attribute, an empty value is returned by the Get-ADUser cmdlet when you specify * as an argument for the Properties parameter.
Thus you have to specify a list of properties you want to get, including the msDS-UserPasswordExpiryTimeComputed attribute.

active directory constructed computed attribute property not show showing

Converting the result to a human-readable value

Of course, there are several ways to achieve it, but I will focus here on the one-liner method.

The result returned by the former cmdlet is a hash table containing the property name and the property value.
Thus you have to first isolate the value you need to convert.
This can be done by surrounding the command-line with parenthesizes, followed by a dot and the name of the property.

(Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed'

And don’t forget to en-quote the msDS-UserPasswordExpiryTimeComputed
word after the dot, because it contains a dash character.

Originally, I wanted to pipe the result to the Get-Date cmdlet in order to convert the former number to a date object.
However, it seems like the Get-Date and the [datetime] casting method are not able to handle this number correctly.
Both misinterpret the year from 2019 to 0419.
(Thanks to ps1code for pointing this problem out in the comments.
If you want an explanation about the reason, check out the post of one of my colleague and MVP Emin ATAC here)

Fortunately, the [datetime] accelerator associated with the FromFileTime method is doing
the job correctly and furthermore we can do all the stuff with a one-liner.

(Get-ADUser -Identity fullenwarth -Properties
msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed' |ForEach-Object -Process
{[datetime]::FromFileTime($_)}

More about

Constructed
Attributes (MSDN)

3 thoughts on “How to find a user’s password expiration date with PowerShell

  1. I get weird values like Sunday, September 16, 0418 12:02:55 PM or 1/1/0001 12:00:00 AM.
    When I tried to format the Date with Get-Date -Format 'dd/MM/yyyy', I got this one: 16/09/0418. The year is 0418 ???!!!

    Liked by 1 person

    Reply

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s