How to get the password age using PowerShell

PowerShell cmdlets help admins perform tasks that are beyond the scope of what can be achieved using the graphical user interface (GUI). However, using PowerShell can often be complex and time-consuming.

Consider checking for password age. Admins may want to find passwords that are nearing their expiry so they can send the respective users an email request to change their passwords. This can be achieved using PowerShell or with a tool such as ManageEngine ADSelfService Plus.

ADSelfService Plus, an identity security solution, provides several crucial reports and functions that enhance and often surpass what can be achieved via PowerShell.

Let's compare what it's like to get the password age using PowerShell vs. ADSelfService Plus.

With PowerShell

Run this script in PowerShell to get the password age report:

Copy Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Screenshot:

With ADSelfService Plus

• Log in to ADSelfService Plus as an administrator.
• Navigate to the Reports tab > Active Directory Reports > Soon-To-Expire Password Users Report.
• Specify the domain using the Select Domain option.
• Use the Select OUs option to specify OUs if necessary.
• Use the User Passwords that will expire option to specify the number of days remaining until expiration.
• Use the Exclude Users option to exclude disabled users and smart card users from the report.
• Click Generate to generate the report.
  

Get password age using PowerShell

Step 1: Retrieve password age for all users

This command fetches the password age for all Active Directory users by calculating the difference between the current date and the password expiration date.

• Get-ADUser -Filter (fetches all AD users)
• msDS-UserPasswordExpiryTimeComputed (stores the password expiration date)
• New-TimeSpan (calculates the number of days left before password expiry)

Step 2: Retrieve password expiry for a specific user

To check when a particular user's password will expire, replace "username" with the actual username. This extracts the exact expiration timestamp for a given user.

Step 3: Convert expiry time to readable format

Active Directory stores the password expiry time in a non-human-readable format. Convert it to a readable date using the following command:

• FromFileTime() (converts the AD timestamp into a standard date format)

Step 4: Export password age report to CSV

Create a report of all users' password ages and export it to a CSV file for auditing. This creates a CSV report in C:\Reports\ with password age details.

FAQs

1. How can I check the password age of a specific user?

You can check the password age of a specific user using the following command:

Copy Get-ADUser -Identity username -Properties "msDS-UserPasswordExpiryTimeComputed" | Select-Object Name, @{Name="PasswordExpiryDate"; Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Note: Replace username with the actual username to get their password expiration date.

2. Can I retrieve the password age for all users?

Yes, run the following command to retrieve password for all users:

3. What if the command doesn’t return a password expiry date?

If the msDS-UserPasswordExpiryTimeComputed property is empty, the user's password might be set to "never expire", or the domain might have no password expiration policy.