“Whose password is about to expire?” — using the computed expiry attribute.
Expiry date for every user
Get-ADUser -Filter * -Properties "msDS-UserPasswordExpiryTimeComputed" |
Select-Object Name, SamAccountName,
@{Name='Expiry'; Expression={ [datetime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed') }}
Passwords expiring in the next 14 days
$limit = (Get-Date).AddDays(14)
Get-ADUser -Filter {Enabled -eq $true} -Properties "msDS-UserPasswordExpiryTimeComputed" |
Select-Object Name, SamAccountName,
@{Name='Expiry'; Expression={ [datetime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed') }} |
Where-Object { $_.Expiry -le $limit -and $_.Expiry -gt (Get-Date) } |
Sort-Object Expiry
Accounts set to “password never expires”
Get-ADUser -Filter {PasswordNeverExpires -eq $true -and Enabled -eq $true} |
Select-Object Name, SamAccountName
Notes: msDS-UserPasswordExpiryTimeComputed is a constructed attribute, so you must request
it explicitly with -Properties. A value of 0 (or a huge number) means “never expires” /
“must change at next logon” — those convert to odd dates, which is why the “expiring soon” query
filters with -gt (Get-Date). Requires the RSAT ActiveDirectory module.