This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hi all,
I have been struggling with a Powershell script for expired passwords in my domain. I run the following script as a domain admin :
get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
On my own laptop I get a proper resonse with all the users and the information. 
When I run the same script on a Domain Controller, I get different (incomplete) information: 
Any idea?
Thanks in advance!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi,
Welcome to share here!
Did you login with the same user?
Please try to run the PowerShell with administrator and run the script again.
Did you get the same result on all the DCs?
Then check the passwordlastset attribute of the users with blank on DCs.
If possible, please share a screenshot here!
Best Regards,
Hi, thanks for your reply.
I did not login as the same user as I run Powershell as a different user. The result on both DC's is the same. Running the script on a DC as administratror (so run as admin instead of run as different user with domain admin credentials) does work.
As I want to run this script scheduled on a daily basis, I need to run this under a Service Account that we use for these kind of scheduled tasks.
Hi,
So, when running the script on all DC as administrator, it shows the correct information.
But when you run as the service account, the information is incomplete), right?
How did you grant the permissions to the account to run the schedule tasks?
Best Regards,
yes indeed. The account that can run the tasks is a domain admin account.
Is it a member of the administrator group?
Best Regards,
Yes, it is. I have tried the administrators group, domain administrators group (member of the administrators group) and even the enterprise admins group.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 83%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPG%3C/text%3E%3C/svg%3E)
Just give a try using the same command with selecting different DC if you have more than one dc in your environment.
get-aduser -filter * -Server DC01.domain.local -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
get-aduser -filter * -Server DC02.domain.local -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
I got the same result
Hi,
From my side i will try to:
1, Disable the UAC temporarily
2, When configure the schedule task, select the option:
Run with the highest privileges
Best Regards,
Hi,
I did disable the UAC. I tested it with the "highest privileges" but have the same result.
So it only works when I login to the DC, start Powershell as administrator and run the script...
Hi,
I would do more research about it,
If there are any progress, i would update here!
Best Regards,
Thanks. I will keep trying and let you know if I get any results.
Waiting for your good news!
