7,023 questions
Run the code using "Run as administrator".
Password expiration attributes
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 87%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
John52180627
1
Reputation point
We have a script running Get-ADUser to determine expiration dates of passwords. It recently stopped working. Domain Admins running Get-ADUser and the relevant -Properties are able to obtain PasswordExpired, PasswordLastSet, and PasswordNeverExpires values but a non-admin is only able to see PasswordLastSet as existing and that is blank (the others don't acknowledge their existence).
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | PowerShell
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Rich Matheisen 47,901 Reputation points2023-01-05T22:13:15.19+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 45%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Prescott, Romeyn 1 Reputation point2023-01-06T12:03:37.107+00:00 What we are trying to discern is "what changed"? This has been working for over a year and stopped on December 8th for no reason we can determine.
-
Rich Matheisen 47,901 Reputation points
2023-01-06T16:09:47.82+00:00 If it used to work and now it doesn't, I'd look for changes in the security of the AD. That might be at the OU level, or perhaps a security group level (e.g., the removal of a user from a group).
If users aren't allowed to see your password policy they won't be able to discover if a password has expired.
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,766 Reputation points2023-01-06T14:02:50.773+00:00 Hi. Thank you for your question and reaching out. I’d be more than happy to help you with your query.
You can try this command to get the password expiration:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.