getting info about users password expiration

14. November 2018

i work in a multi domain environment. each domain has different password expiration rules. unfortunattely there is no notification system for the password expiration, so i have to check manually how long my passwords are valid.

for this, i wrote this PowerShell function, which does work without the use of any additional module:

function get-UserPwdInfo {
    Param (
        $UserDN
    )
    $ACCOUNTDISABLE       = 0x000002
    $DONT_EXPIRE_PASSWORD = 0x010000
    $PASSWORD_EXPIRED     = 0x800000

    if ( [string]::IsNullOrEmpty( $UserDN ) ) {
        $SysInfo = New-Object -ComObject "ADSystemInfo"
        $UserDN = $SysInfo.GetType().InvokeMember("UserName", "GetProperty", $Null, $SysInfo, $Null)
    }

    $User = [ADSI]"LDAP://$UserDN"
    
    $searcher=New-Object DirectoryServices.DirectorySearcher
    $searcher.Filter="(&(distinguishedName=$($User.distinguishedName)))"
    $results=$searcher.findone()
    $PwdLastSet = [datetime]::fromfiletime($results.properties.pwdlastset[0])
    
    $DomainName = ( $UserDN -split ',' | Where-Object { $_ -match 'DC' } | ForEach-Object { $_ -replace 'DC=', '' } ) -join '.'
    [ADSI]$domain = "WinNT://$( $DomainName )"

    $MaxPasswordAge = $domain.MaxPasswordAge.Value

    New-Object -TypeName PSObject -Property @{
        Domain                = $domain.Name.ToString()
        UserDisplayName       = $results.Properties.displayname[0].ToString()
        UserDistinguishedName = $results.Properties.distinguishedname[0].ToString()
        userPrincipalName     = $User.userPrincipalName.ToString()
        sAMAccountName        = $user.sAMAccountName.ToString()
        Enabled               = ( -not [bool]($results.Properties.useraccountcontrol[0] -band $ACCOUNTDISABLE ) )
        PasswordNeverExpires  = ( [bool]($results.Properties.useraccountcontrol[0] -band $DONT_EXPIRE_PASSWORD ) )
        PasswordExpired       = ( [bool]($results.Properties.useraccountcontrol[0] -band $PASSWORD_EXPIRED ) )
        MaxPasswordAge        = $domain.MaxPasswordAge.Value / 3600 / 24 
        MinPasswordAge        = $domain.MinPasswordAge.Value / 3600 / 24 
        LastPasswordSet       = $PwdLastSet 
        CurrentPasswordAge    = ( New-TimeSpan -Start $PwdLastSet -End ( Get-Date ) )
        PasswordExpiresOn     = $PwdLastSet.AddSeconds( $MaxPasswordAge )
        PasswordExpiresIn     = ( New-TimeSpan -Start ( Get-Date ) -End $PwdLastSet.AddSeconds( $MaxPasswordAge ) )
    } | Select-Object Domain, UserDisplayName, UserDistinguishedName, userPrincipalName, sAMAccountName, Enabled, PasswordNeverExpires, PasswordExpired, MaxPasswordAge, MinPasswordAge, LastPasswordSet, CurrentPasswordAge, PasswordExpiresOn, PasswordExpiresIn
}
$UserPwdInfo = get-UserPwdInfo 
$UserPwdInfo

the result of this script looks like this: