Hello,
I’m trying to report on Active Directory user account values. In the code below, AccountEpires returns “12/31/1600 4:00:00 PM” when it has not been set on.
I tried inserting an If statement in the Expression, but not sure how to code this.
How can I change this value to “Never” or something else that makes more sense?
Here is what I have so far:
$users = @('user1', 'user2', 'user3')
$users | Get-ADUser -Server $srver -Credential $creds -ErrorAction SilentlyContinue –Properties `
"DisplayName", `
"msDS-UserPasswordExpiryTimeComputed", `
"AccountExpires", `
"PasswordNeverExpires", `
"LockedOut" |
Select-Object -Property `
@{Name="Name"; Expression={$_.DisplayName}},
@{Name="Password Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},
@{Name="Account Expiration Date"; Expression={[datetime]::FromFileTime($_.AccountExpires)}},
@{Name="Password Never Expires"; Expression={$_.PasswordNeverExpires}},
@{Name="Enabled"; Expression={$_.Enabled}},
@{Name="Locked"; Expression={$_.LockedOut}} | FT #Export-Csv $file -Notypeinfo`
Name Password Expiration Date Account Expiration Date Password Never Expires Enabled Locked
---- ------------------------ ----------------------- ---------------------- ------- ------
User1 12/31/1600 4:00:00 PM True True False
User2 6/7/2020 9:39:17 AM 12/31/1600 4:00:00 PM False True False
User3 8/18/2020 12:54:04 PM 12/31/1600 4:00:00 PM False True False`
$users = @('user1', 'user2', 'user3')
$users | Get-ADUser -Server $srver -Credential $creds -ErrorAction SilentlyContinue –Properties `
"DisplayName", `
"msDS-UserPasswordExpiryTimeComputed", `
"AccountExpires", `
"PasswordNeverExpires", `
"LockedOut" |
Select-Object -Property `
@{Name="Name"; Expression={$_.DisplayName}},
@{Name="Password Expiration Date";Expression={
$Date = [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")
if ($Date.Year -eq 1600) { 'Never' } else { $Date }
}
},
@{Name="Account Expiration Date"; Expression={[datetime]::FromFileTime($_.AccountExpires)}},
@{Name="Password Never Expires"; Expression={$_.PasswordNeverExpires}},
@{Name="Enabled"; Expression={$_.Enabled}},
@{Name="Locked"; Expression={$_.LockedOut}} | FT #Export-Csv $file -Notypeinfo`
Hi Sam,
Really appreciate your quick reply. I’ll give that a try.
However, I think you targeted the “Password Expiration Date” field. The one that comes out with a year of 1600 is the line below. This is the AD field “AccountExpires” which I’ve labeled “Account Expiration Date”.
Thanks again.
Sam,
I got it to work with your help. Much appreciated.
One other question; if you look at the output, some accounts (i.e. user1) are set to never expire. These accounts return nothing in the Password Expiration Date field. I’ve tried checking for $null and ‘’ but still cannot get it to display 'Never".
Thanks.
$users = @('user1', 'user2', 'user3')
$users | Get-ADUser -Server $srver -Credential $creds -ErrorAction SilentlyContinue –Properties `
"DisplayName", `
"msDS-UserPasswordExpiryTimeComputed", `
"AccountExpires", `
"PasswordNeverExpires", `
"LockedOut" |
Select-Object -Property `
@{Name="Name"; Expression={$_.DisplayName}},
@{Name="Password Expiration Date";Expression={
if ($_."msDS-UserPasswordExpiryTimeComputed") { $_."msDS-UserPasswordExpiryTimeComputed" } else { 'Never' }
}
},
@{Name="Account Expiration Date"; Expression={
$Date = [datetime]::FromFileTime($_."AccountExpires")
if ($Date.Year -eq 1600) { 'Never' } else { $Date }
}
},
@{Name="Password Never Expires"; Expression={$_.PasswordNeverExpires}},
@{Name="Enabled"; Expression={$_.Enabled}},
@{Name="Locked"; Expression={$_.LockedOut}} | FT #Export-Csv $file -Notypeinfo
Strange, seems the msDS-UserPasswordExpiryTimeComputed cannot be checked for a value. Seems when the password never expires attribute is set to “True”, the msDS-UserPasswordExpiryTimeComputed does not exist and the Else condition is not triggered.
Here is actual output
User Name Password Expiration Date Account Expiration Date Password Never Expires Account is Enabled Account is Locked
--------- ------------------------ ----------------------- ---------------------- ------------------ -----------------
Carson Goldberg Never True True False
Kevin Gurney 6/7/2020 9:39:17 AM Never False True False
Don Bates 8/18/2020 12:54:04 PM Never False True False
Gregg Hess 8/16/2020 9:42:00 AM Never False True False
Josh Carey Never True True False
Chris Murray 6/30/2020 4:13:38 PM Never False True False
This seems to be more of an AD question than PS. But you’re on the right track, just need to dive more into AD objects/properties/attributes and also some of the eccentricities with the AD PS module and filtering/LDAP properties.
Also take a look at Search-ADAccount which has a handful of very useful parameters to perform some very common AD queries. Like Search-ADAccount -LockedOut returns any AD accounts that are currently locked out.