4

Is there any powershell command that outputs the users that have their passwords expired from a specific organizational unit (OU).

If so can it be combined in a script with another command that outputs the time when it expires for all the users in the specific OU ?

Thank you.

Cranta Ionut
  • 179
  • 3
  • 4
  • 12

3 Answers3

5

Get AD Users Password Expiration Report from Specific OU: 

Import-Module ActiveDirectory
Get-ADUser -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" | 
  Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
    Format-Table

You may also take help from this blog which lets you how to email users a active directory password expiration notification and schedule reports, alerts and be compliant with all password expiration related tasks to save your time: http://www.symantec.com/connect/blogs/how-automate-password-change-notification-through-email

 

EM0
  • 370
  • 9
  • 24
mac
  • 11
  • 2
2

Users with expired passwords:

Get-ADUser -SearchBase "ou=MyOU,dc=MyDomain,dc=Local" -filter * -properties Name, PasswordNeverExpires, PasswordExpired, PasswordLastSet | where {$_.Enabled -eq "True"} | where {$_.PasswordNeverExpires -eq $false} | where {$_.passwordexpired -eq $true}

To get time when password expires you should get PasswordLastSet property and add MaxPasswordAge from domain policy (e.g. $DefaultmaxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge).

Please have a look at Password Expiry Email Notification script on TechNet: https://gallery.technet.microsoft.com/Password-Expiry-Email-177c3e27 Good sample for the subject.

Vadim
  • 596
  • 3
  • 10
2

To list enabled users with expired passwords in a specific OU:

Get-ADUser -filter {Enabled -eq $True -and PasswordExpired -eq $True} -SearchBase "OU=Finance,OU=Users,DC=yourdomain,DC=com"

To list enabled users within a specific OU with password expiration dates:

Get-ADUser -filter {Enabled -eq $True} -SearchBase "OU=Finance,OU=Users,DC=yourdomain,DC=com" –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed"
|
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Volodymyr Molodets
  • 2,424
  • 9
  • 36
  • 52