Password properties for AD accounts

Get-QADUser username | Format-List *Password* – provides a handy list of password properties for an Active Directory user account including the age and expiration date.

Here’s what I got for one of the accounts in my domain:

Get-QADUser username | Format-List *Password*

PasswordLastSet : 2/5/2010 7:31:16 PM
PasswordAge : 60.21:51:12.2086957
PasswordExpires : 5/6/2010 7:31:16 PM
PasswordNeverExpires : False
UserMustChangePassword : False
PasswordIsExpired : False
PasswordStatus : Expires at: Thursday, May 06, 2010

This can obviously used across multiple accounts to create handy reports, let users know in advance that their passwords are about to expire, and so on.


1 Response to “Password properties for AD accounts”

  1. 1 jkavanagh58 April 7, 2010 at 1:17 pm

    Thanks for this. I have been working on a similar script to audit accounts that are not handled through our password synch process, mostly admin accounts. Initially it was great for determining what accounts were obviously not being used since their passwords had been expired for a substantial time. Now I am adding a loop to send emails based (get-qaduser acct).email for accounts set to expire in 15 days or less.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

My Recent Tweets


The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

April 2010
« Mar   May »

%d bloggers like this: