Get password age using PowerShell

Step 1: Retrieve password age for all users

This command fetches the password age for all Active Directory users by calculating the difference between the current date and the password expiration date.

• Get-ADUser -Filter (fetches all AD users)
• msDS-UserPasswordExpiryTimeComputed (stores the password expiration date)
• New-TimeSpan (calculates the number of days left before password expiry)

Step 2: Retrieve password expiry for a specific user

To check when a particular user's password will expire, replace "username" with the actual username. This extracts the exact expiration timestamp for a given user.

Step 3: Convert expiry time to readable format

Active Directory stores the password expiry time in a non-human-readable format. Convert it to a readable date using the following command:

• FromFileTime() (converts the AD timestamp into a standard date format)

Step 4: Export password age report to CSV

Create a report of all users' password ages and export it to a CSV file for auditing. This creates a CSV report in C:\Reports\ with password age details.

FAQs

1. How can I check the password age of a specific user?

You can check the password age of a specific user using the following command:

Copy Get-ADUser -Identity username -Properties "msDS-UserPasswordExpiryTimeComputed" | Select-Object Name, @{Name="PasswordExpiryDate"; Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Note: Replace username with the actual username to get their password expiration date.

2. Can I retrieve the password age for all users?

Yes, run the following command to retrieve password for all users:

3. What if the command doesn’t return a password expiry date?

If the msDS-UserPasswordExpiryTimeComputed property is empty, the user's password might be set to "never expire", or the domain might have no password expiration policy.