Active Directory Password Policy: Use PowerShell to Access Account Info
There are plenty of third-party tools that can help assess the state of your AD accounts, but you can also access account info through PowerShell.
November 15, 2019
One of the keys to keeping your Windows network secure is to be aware of what is going on with your Active Directory accounts. If an account’s password has long been expired, for example, it may be an indication that the account is no longer being used and should therefore be disabled or deleted. There are plenty of third-party monitoring tools that can help you to assess the state of your Active Directory accounts, but you can also access account information through PowerShell.
PowerShell queries for assessing the state of Active Directory accounts are usually based on the Get-ADUser cmdlet. This cmdlet makes it easy to perform basic queries against your Active Directory user accounts, and it opens the door to performing more advanced queries.
At its simplest, you can enter the Get-ADUser cmdlet along with a username. This will provide you with some basic account information such as the account’s distinguished name, its SID and user principle name.
Like most other PowerShell Get cmdlets, the Get-ADUser cmdlet is capable of displaying more information than what it shows by default. You can see the full list of the available attributes by entering this command:
Get-ADUser | Select-Object *
If your goal is to find accounts that have expired passwords, then the attribute that will be of the most interest is msDS-UserPasswordExpiryTimeComputed.
Unfortunately, PowerShell won’t let you do something as simple as typing: Get-ADUser | Select-Object Name, msDS-UserPasswordExpiryTimeComputed, as you might expect to be able to do. In fact, there are two separate problems with using this command.
The first problem is that the Get-ADUser cmdlet requires you to provide a username. That isn’t a big deal if you are trying to query a single user’s account, but it can be an issue if you are trying to query all of your accounts to see which ones have expired passwords. Somewhat surprisingly, the Get-ADUser cmdlet will not accept a wildcard character, either.
The easiest way to work around this problem is to set up a filter and then have that filter to act as a list of accounts to query. For example, you might create a filtered list of accounts that are enabled. Here is what such a filter might look like:
Get-ADUser -Filter {Enabled -eq $True}
If you were to run the command shown above, PowerShell would display all of the Active Directory accounts that are currently enabled. Conversely, if you would like to find out which accounts are disabled, then run the command shown above, but replace $True with $False. In either case, you can make the list of results easier to read by appending the pipe symbol and the Select-Object Name command. Here is an example:
Get-ADUser -Filter {Enabled -eq $False} | Select-Object Name
The other thing you will need to do to get a list of users with expired passwords is to put the msDS-UserPasswordExpiryTimeComputed attribute into some sort of readable form.
In doing so, the first issue that you will have to address is the fact that you can’t display msDS-UserPasswordExpiryTimeComputed directly by using the Select-Object cmdlet. The solution to this problem is to explicitly tell PowerShell that you want to use the msDS-UserPasswordExpiryTimeComputed property. Here is what such a command might look like:
Get-ADUser -Filter{Enabled -eq $True} -Properties “msDS-UserPasswordExpiryTimeComputed” | Select-Object Name, msDS-UserPasswordExpiryTimeComputed
When you run the command listed above, you will see the other problem. The msDS-UserPasswordExpiryTimeComputed property is simply a large number. Ideally, you should convert it to something more meaningful.
One thing that you can do is to check the value of msDS-UserPasswordExpiryTimeComputed to make sure that it is not 0. A value of 0 usually means that the account has been configured to require that users change their passwords the next time that they log in, but they have not yet done so.
Another thing to check for is a msDS-UserPasswordExpiryTimeComputed value of 0x7FFFFFFFFFFFFFFF. This often means that the password is set to never expire. Incidentally, if you want to find out if you have accounts with non-expiring passwords, then you can do so by entering this command:
Get-ADUser -Filter {PasswordNeverExpires -eq $True} | Select-Object Name
Aside from the two circumstances that I just mentioned, the msDS-UserPasswordExpiryTimeComputed property is usually a large integer date representation of the time when the user’s password was most recently set added to the maximum password age value defined within the Active Directory.
About the Author
You May Also Like