How to get AD Password Age with PowerShell

March 28, 2021March 28, 2023 Thomas

Tweet

Share

Pin1

In this post I will show you how easy you can find Active Directory password age for users, using simple PowerShell commands.

How to get Password Age with PowerShell

I you have a lot of users in Active Directory it can be difficult to get the full picture of your user’s password age. The easiest way to get the full picture is to use PowerShell commands to list the users and the password properties. With password you can pull a list of users in your Active Directory that you want to check up on. In this post I will show you some simple tips to get started.

List users and password age with PowerShell

The Cmd-Let we will use to pull the information in these examples, is named Get-ADUser. We will start with a very simple example:

Get-ADUser -Filter * -Properties passwordlastset, passwordneverexpires | ft name, passwordlastset, passwordneverexpires

This command returns name, passwordlastset and passwordneverexpires.

If you want to get the data in an csv file for future analyses you can add the Export-Csv cmd-let. Now the command should look like this:

Get-ADUser -Filter * -Properties passwordlastset, passwordneverexpires | select name, passwordlastset, passwordneverexpires |Export-CSV -Path c:\users.csv -Encoding utf8

This will result in a csv file with the name users.csv you can use in Excel to get the full picture of your current password saturation. You can of cause change the path to whatever location you prefer.

If you want to exclude users that have PasswordNeverExpires set, you can use the following command:

Get-ADUser -Filter * -Properties passwordlastset, passwordneverexpires | where {$_.passwordNeverExpires -eq $false } | select name, passwordlastset, passwordneverexpires

This make great sense, because you don’t care about the user’s password age if the password never expires, right?

You can still get your result parsed to a csv file, by adding the export-csv cmd-let to the command as shown below:

Get-ADUser -Filter * -Properties passwordlastset, passwordneverexpires | where {$_.passwordNeverExpires -eq $false } | select name, passwordlastset, passwordneverexpires |Export-CSV – Path c:\users.csv -Encoding utf8

More PowerShell commands

If you want to discover all what the Get-ADUser can do, you can find full documentation on the link below:

More info about the Get-ADUser Cmdlet

There is also a lot of other great cmdlets you can use to script against Active Directory like:

Get-ADGroup

Get-ADGroupMember

New-ADUser

Set-ADUser

For more documentation on PowerShell and Active Directory look here

Final words about the Get-ADUser Cmd-Let

I hope you found this post inspiring and that you have learned something new. Anyway, you can go ahead and refine your script to do it even smarter, so it fits just to your needs. As you can see there is lots of possibilities with PowerShell scripting.

Tweet

Share

Pin1

Related posts

• 

  August 8, 2023 Thomas 0

  What is ChatGPT and Why all the Hype?

  Unless you have been living under a rock for the last 6 month, you have for...

  Common 

• 

  July 16, 2023 Thomas 0

  Use PowerShell to Export/Import Firewall rules

  In this post I will show you how you can export/import Windows Firewall rules using PowerShell.

  Common 

• 

  May 16, 2021 Thomas 0

  What is Windows Terminal?

  What is Windows Terminal and how do you get it? I will explain all that and...

  Windows 10