Get password reset info for users with Windows PowerShell script

Derek Schauland illustrates how writing your own PowerShell commands can help you with pesky tasks.

I have to admit, I have been quite fascinated with PowerShell lately, and though I am by no means extremely good at it, I have managed to put together some useful scripting.. While learning PowerShell, I found a few problems to solve, one of which is how to determine when a user last changed his password and the number of days until the password needs to be changed again. You may or may not find this particular script useful, but it does illustrate the kind of customizing you can do with PowerShell to perform tasks of your own choosing.

Note: Using this function assumes there are accounts whose passwords expire, although it does report accounts found that have non-expiring passwords as well. Requirement: You will need to import the Active Directory Module into your PowerShell session by running import-module activedirectory for this function to work properly.

Getting started

The problem I had started when a co-worker asked about when a user account password was reset. Active Directory doesn't exactly put this information out there for you to see, which is typically a good thing. This was a good opportunity to see if PowerShell could help.

Function, script, or interactive command line

While all of these methods will work and even use the same code, I figured this might be something I would reuse, so I opted to create a function to behave more like a cmdlet, which can also be loaded into a profile script (but that part is another post).

Function get-pwdset{

In the code above, the function get-pwdset is defined with the required parameter $user defined as a string.

The next section of the function will define a variable to hold an Active Directory user object with specified properties for passwordneverexpires and passwordlastset.

$use = get-aduser $user -properties passwordlastset,passwordneverexpires

In the next section, I decided to check for accounts that have non-expiring passwords. This was to prevent errors when dealing with accounts that do not expire.

If($use.passwordneverexpires -eq $true)
 write-host $user "last set their password on " $use.passwordlastset  "this account has a non-expiring password" -foregroundcolor yellow

If the account passed to the function has a non-expiring password the last password set date is displayed and a message letting you know that the account has a non-expiring password in yellow.

$til = (([datetime]::FromFileTime((get-aduser $user -properties "msDS-UserPasswordExpiryTimeComputed")."msDS-UserPasswordExpiryTimeComputed"))-(get-date)).days
if($til -lt "5")
 write-host $user "last set their password on " $use.passwordlastset "it will expire again in " $til " days" -foregroundcolor red
 write-host $user "last set their password on " $use.passwordlastset "it will expire again in " $til " days" -foregroundcolor green

This function allows you to enter the following get-pwdset juser to have Powershell check Active Directory to determine when the juser object last set its password and how many days there are until the password expires.  An example is shown below in figure A.

Figure A

The get-pwdset function running for user test (click to enlarge)

Hopefully this little function will come in handy for you if finding password expiration is a problem you need to solve.