Check Domain Account Expiration Date

As an end-user that does not support active-directory, I like to know when my password is approaching its expiration date; this is also useful if you have a non-human service account created to automate a process – you wouldn’t want the password for the account to expire without you knowing.

The following script can be executed as seen below by calling the script and passing a correct domain username:

The script also handles incorrect usernames:

Here is the script:


1) The target machine executing this script needs to be able to Import-Module ActiveDirectory. 
   This module is available under Control Panel > Turn Windows features on or off > Remote Server Admin Tools > 
   Role Admin Tools > AD DS and AD LDS Tools > Active Directory Module for Windows PowerShell.

2) If you do not have this option available under 'Turn Windows features on or off' menu, then you might have to install
   it from Microsoft - first.


This script will allow you to check a domain account against active directory to determine the following details:



Navigate to script location and execute script with domain username as an argument.

				    User                 : Knguyen
				    FullName             : Khoa Nguyen
				    PasswordNeverExpires : False
				    PasswordLastSet      : 12/11/2017 09:58:39
				    LockedOut            : False
				    Enabled              : True
				    RemainingDays        : 3/11/2018
				    PasswordExpiresIn    : 88 Days

#This requires that a domain username is passed into the script during execution, without it, the catch error exception will run.
param (
[string] $UserName

#Imports the necessary AD module for PowerShell
Import-Module ActiveDirectory

#Attempt to perform the below steps against the provided $UserName
	$Fullname = (Get-ADUser -Identity $UserName -Properties Name).Name
	$PasswordExpired = (Get-ADUser -Identity $UserName -Properties PasswordExpired).PasswordExpired
	$PasswordNeverExpires = (Get-ADUser -Identity $UserName -Properties PasswordNeverExpires).PasswordNeverExpires
	$PasswordLastSet = (Get-ADUser -Identity $UserName -Properties PasswordLastSet).PasswordLastSet
	$LockedOut = (Get-ADUser -Identity $UserName -Properties LockedOut).LockedOut
	$Enabled = (Get-ADUser -Identity $UserName -Properties Enabled).Enabled
	$RemainingDays = (Get-ADUser $UserName -properties "msDS-UserPasswordExpiryTimeComputed" | select-object @{Name = "RemainingDays" ; e={[datetime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed')}}).RemainingDays.ToString()
	$RemainingDays = $RemainingDays.Split(" ")[0]
	$Modified = (Get-ADUser -Identity $UserName -Properties Modified).Modified
	$Modified = $Modified.ToString().Split(" ")[0]
	$CalculateDays = (New-TimeSpan -Start $Modified -End $RemainingDays | Select Days).Days
	Write-Host "`n"
	Write-Host "User                 : $UserName"
	Write-Host "FullName             : $Fullname"	
	Write-Host "PasswordNeverExpires : $PasswordNeverExpires"
	Write-Host "PasswordLastSet      : $PasswordLastSet"
	Write-Host "LockedOut            : $LockedOut"
	Write-Host "Enabled              : $Enabled"
	Write-Host "RemainingDays        : $RemainingDays"
	Write-Host "PasswordExpiresIn    : $CalculateDays Days`n"

	Write-Host "`n"
	Write-Host "User provided does not exist!" -ForegroundColor Red
	Write-Host "`n"


If you wanted to take it further, I’d suggest creating some if/else conditions to evaluate $CalculateDays to email out on remaining days or if account is $LockedOut or not.

Leave a Reply

Notify of