Setting a default value in Select-Object

Hello,

I’m trying to report on Active Directory user account values. In the code below, AccountEpires returns “12/31/1600 4:00:00 PM” when it has not been set on.

I tried inserting an If statement in the Expression, but not sure how to code this.

How can I change this value to “Never” or something else that makes more sense?

Here is what I have so far:

$users = @('user1', 'user2', 'user3')

$users | Get-ADUser -Server $srver -Credential $creds -ErrorAction SilentlyContinue –Properties `
            "DisplayName", `
            "msDS-UserPasswordExpiryTimeComputed", `
            "AccountExpires", `
            "PasswordNeverExpires", `
            "LockedOut" |
         Select-Object -Property `
            @{Name="Name";                    Expression={$_.DisplayName}},
            @{Name="Password Expiration Date";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}},
            @{Name="Account Expiration Date"; Expression={[datetime]::FromFileTime($_.AccountExpires)}},
            @{Name="Password Never Expires";  Expression={$_.PasswordNeverExpires}},
            @{Name="Enabled";                 Expression={$_.Enabled}},
            @{Name="Locked";                  Expression={$_.LockedOut}} | FT #Export-Csv $file -Notypeinfo`


Name            Password Expiration Date Account Expiration Date Password Never Expires Enabled Locked
----            ------------------------ ----------------------- ---------------------- ------- ------
User1                                    12/31/1600 4:00:00 PM                     True    True  False
User2           6/7/2020 9:39:17 AM      12/31/1600 4:00:00 PM                    False    True  False
User3           8/18/2020 12:54:04 PM    12/31/1600 4:00:00 PM                    False    True  False`
$users = @('user1', 'user2', 'user3')

$users | Get-ADUser -Server $srver -Credential $creds -ErrorAction SilentlyContinue –Properties `
            "DisplayName", `
            "msDS-UserPasswordExpiryTimeComputed", `
            "AccountExpires", `
            "PasswordNeverExpires", `
            "LockedOut" |
         Select-Object -Property `
            @{Name="Name";                    Expression={$_.DisplayName}},
            @{Name="Password Expiration Date";Expression={
                    $Date = [datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")
                    if ($Date.Year -eq 1600) { 'Never' } else { $Date }
                }
            },
            @{Name="Account Expiration Date"; Expression={[datetime]::FromFileTime($_.AccountExpires)}},
            @{Name="Password Never Expires";  Expression={$_.PasswordNeverExpires}},
            @{Name="Enabled";                 Expression={$_.Enabled}},
            @{Name="Locked";                  Expression={$_.LockedOut}} | FT #Export-Csv $file -Notypeinfo`

Hi Sam,

Really appreciate your quick reply. I’ll give that a try.

However, I think you targeted the “Password Expiration Date” field. The one that comes out with a year of 1600 is the line below. This is the AD field “AccountExpires” which I’ve labeled “Account Expiration Date”.

Thanks again.

Sam,

I got it to work with your help. Much appreciated.

One other question; if you look at the output, some accounts (i.e. user1) are set to never expire. These accounts return nothing in the Password Expiration Date field. I’ve tried checking for $null and ‘’ but still cannot get it to display 'Never".

Thanks.

$users = @('user1', 'user2', 'user3')

$users | Get-ADUser -Server $srver -Credential $creds -ErrorAction SilentlyContinue –Properties `
            "DisplayName", `
            "msDS-UserPasswordExpiryTimeComputed", `
            "AccountExpires", `
            "PasswordNeverExpires", `
            "LockedOut" |
         Select-Object -Property `
            @{Name="Name";                    Expression={$_.DisplayName}},
            @{Name="Password Expiration Date";Expression={
                    if ($_."msDS-UserPasswordExpiryTimeComputed") { $_."msDS-UserPasswordExpiryTimeComputed" } else { 'Never' }
                }
            },
            @{Name="Account Expiration Date"; Expression={
                    $Date = [datetime]::FromFileTime($_."AccountExpires")
                    if ($Date.Year -eq 1600) { 'Never' } else { $Date }
                }
            },
            @{Name="Password Never Expires";  Expression={$_.PasswordNeverExpires}},
            @{Name="Enabled";                 Expression={$_.Enabled}},
            @{Name="Locked";                  Expression={$_.LockedOut}} | FT #Export-Csv $file -Notypeinfo

Strange, seems the msDS-UserPasswordExpiryTimeComputed cannot be checked for a value. Seems when the password never expires attribute is set to “True”, the msDS-UserPasswordExpiryTimeComputed does not exist and the Else condition is not triggered.

Here is actual output

User Name       Password Expiration Date Account Expiration Date Password Never Expires Account is Enabled Account is Locked
---------       ------------------------ ----------------------- ---------------------- ------------------ -----------------
Carson Goldberg                          Never                   True                    True              False
Kevin Gurney    6/7/2020 9:39:17 AM      Never                   False                   True              False
Don Bates       8/18/2020 12:54:04 PM    Never                   False                   True              False
Gregg Hess      8/16/2020 9:42:00 AM     Never                   False                   True              False
Josh Carey                               Never                   True                    True              False
Chris Murray    6/30/2020 4:13:38 PM     Never                   False                   True              False

This seems to be more of an AD question than PS. But you’re on the right track, just need to dive more into AD objects/properties/attributes and also some of the eccentricities with the AD PS module and filtering/LDAP properties.

Also take a look at Search-ADAccount which has a handful of very useful parameters to perform some very common AD queries. Like Search-ADAccount -LockedOut returns any AD accounts that are currently locked out.