If you manage a large number of users in Active Directory you will love this article. As an I.T administrator, you want to have full control and visibility of your users and extract information to help manage these accounts. In this post, we will look at the Get-ADUser PowerShell command and show you how you can use it to retrieve password information to find out when a user last changed their password and if it is set to never expire.
To get information about Get-ADUser command you can use PowerShell and type the following command.
help Get-ADUser
Next we want to find out the name of the properties of a user account that are available and the correct names so we can use it in our following commands. To retrieve this information you will run the following command.
Get-ADUser -identity username -properties *
If you look on the Get-ADUser properties, there is Password last set information, password expired, password never expired status and password Not required status.
So the property names we are interested in are: PasswordLastSet and PasswordNeverExpires. So we can run the command specifying these properties only and output the results in a table.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
So we can now see when a user last changed their password and if it is set to never expire.
To make things easier to find in a big environment you may want to sort the list by name.
Type: get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort name | ft Name, passwordlastset, Passwordneverexpires
And finally, lets export the list to CSV so we can work on it in Excel. In this example we substitute, format table (ft) for select-object.
Type: Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:\temp\user-password-info-20131119.csv
