For IT administrators, managing user accounts in Active Directory (AD) is a critical daily task. Beyond simply creating and disabling accounts, one of the ongoing responsibilities is monitoring password health across the organization.
Knowing when users last changed their passwords, and identifying accounts where passwords never expire, is essential for:
- Maintaining security compliance
- Reducing the risk of stale or compromised accounts
- Preparing audit reports
- Managing large enterprise environments efficiently
PowerShell’s Get-ADUser cmdlet provides a straightforward yet powerful way to retrieve this information and even automate reporting for your AD environment.
Understanding Get-ADUser and Its Properties
Get-ADUser is part of the Active Directory module for Windows PowerShell, designed for querying and managing AD users. If you’re unfamiliar with it, you can get help directly in PowerShell:
help Get-ADUser -Full
This command lists all available parameters, examples, and descriptions. When it comes to password tracking, the properties we care about are:
PasswordLastSet: The date and time when the user last updated their password.PasswordNeverExpires: A boolean value indicating whether the account is exempt from password expiry.PasswordExpired: Indicates if the account’s password has expired.PasswordNotRequired: Specifies whether the user can log in without a password.
Real-world tip: Many IT teams ignore
PasswordNotRequired, but auditing this property is crucial in environments with service accounts or legacy applications.
To list all available properties for a specific user:
Get-ADUser -Identity “username” -Properties *
So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
So we can now see when a user last changed their password and if it is set to never expire.
To make things easier to find in a big environment you may want to sort the list by name.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires
Automation Tips for IT Professionals
For busy AD administrators, you can automate these reports using scheduled PowerShell scripts:
- Weekly export of password last set for all users
- Monthly audit of accounts with PasswordNeverExpires = True
- Alerts for stale passwords beyond the organization’s policy threshold
Example scheduling with Task Scheduler:
- Trigger: Weekly at 7 AM
- Action: Run PowerShell script containing the commands above
- Output: Save CSV to a network share accessible to the security team
Security and Compliance Considerations
Tracking password information isn’t just for convenience—it’s essential for security and regulatory compliance:
- ISO 27001 / SOC2 / NIST require tracking password policy enforcement
- HIPAA / GDPR environments often need evidence of proactive password audits
- Detect potential dormant accounts that could be exploited by attackers
From experience, combining
Get-ADUserreports with logon activity is a powerful method to identify high-risk accounts.
Best Practices Summary
For IT admins managing AD environments, here’s a practical checklist:
- Regularly audit password age using
PasswordLastSet - Identify accounts with
PasswordNeverExpiresand justify them - Export reports to CSV for review and management
- Automate reports for efficiency
- Cross-reference with login activity to spot dormant or inactive accounts
- Document scripts and reports for audit trails
Conclusion
Get-ADUser is more than just a query tool—it’s a critical component of proactive Active Directory management. By leveraging it to track password last set dates, identify accounts exempt from expiration, and export structured reports, IT professionals gain visibility, control, and security over their AD environment.
In large or highly regulated environments, this approach is not optional—it’s essential. Automating these checks and integrating them into regular security audits ensures that password policies are enforced consistently and that potential vulnerabilities are addressed before they become critical.
As an IT professional, mastering these PowerShell commands will not only make your daily administration tasks more efficient but also improve organizational security posture significantly.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.