1 min read

Find out when your Password Expires

Few weeks ago I came across this question “How to find out an account’s password expiration date” in one of our internal mailing-list. This looks like a simple question, but when we tried to find the answer we realized it is not a trivial task. One of my colleagues pointed to this 22-printed page detailed MSDN article that describes how to find a user account’s password expiration date. The steps described in this article are a bit outdated. It does not take Fine-Grained Password policy (a new feature added in Windows 2008) into account while calculating the maximum password age. With the addition of fine grained password policy, this becomes an even more daunting task to do. Using AD Powershell this task can be achieved with ~40 lines of script-code. Here is function that calculates the password expiration date of a user object given its samAccountName, security identifier or DistinguishedName. 

1: function Get-XADUserPasswordExpirationDate() {2:    Param ([Parameter(Mandatory=$true, Position=0, ValueFromPipeline=$true, HelpMessage=”Identity of the Account”)]3:    [Object] $accountIdentity)4:    PROCESS {5:       $accountObj = Get-ADUser $accountIdentity -properties PasswordExpired, PasswordNeverExpires, PasswordLastSet6:       if ($accountObj.PasswordExpired) {7:          echo (“Password of account: ” + $accountObj.Name + ” already expired!”)8:       } else {9:          if ($accountObj.PasswordNeverExpires) {10:            echo (“Password of account: ” + $accountObj.Name + ” is set to never expires!”)11:         } else {12:            $passwordSetDate = $accountObj.PasswordLastSet13:            if ($passwordSetDate -eq $null) {14:               echo (“Password of account: ” + $accountObj.Name + ” has never been set!”)15:            } else {16:               $maxPasswordAgeTimeSpan = $null17:               $dfl = (get-addomain).DomainMode18:             if ($dfl -ge 3) {19:                ## Greater than Windows2008 domain functional level20:                $accountFGPP = Get-ADUserResultantPasswordPolicy $accountObj21:                if ($accountFGPP -ne $null) {22:                   $maxPasswordAgeTimeSpan = $accountFGPP.MaxPasswordAge23:                } else {24:                   $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge25:                }26:             } else {27:                $maxPasswordAgeTimeSpan = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge28:             }29:             if ($maxPasswordAgeTimeSpan -eq $null -or $maxPasswordAgeTimeSpan.TotalMilliseconds -eq 0) {30:                echo (“MaxPasswordAge is not set for the domain or is set to zero!”)31:             } else {32:                echo (“Password of account: ” + $accountObj.Name + ” expires on: ” + ($passwordSetDate + $maxPasswordAgeTimeSpan))33:             }34:          }35:       }36:     }37:   }38: }

  

Here are some sample usages of this function:

PS AD:> Get-XADUserPasswordExpirationDate testuser1

Password of account: testuser1 already expired!

 

PS AD:> Get-XADUserPasswordExpirationDate JohnDoe

Password of account: John Doe expires on: 02/25/2010 13:03:20

Since the MSDN article explains the algorithm using a flow diagram, I too have tried creating a flow diagram that explains the logic used to compute the password expiration date of an account:

  

Hope you find this useful. Please leave a comment if you have any feedback on this topic or would like to see any other topic discussed in our blog.

  

Enjoy,

Swami

Everything to Know About Cloud VDI and Azure Virtual Desktop

By now, most of us have experienced some form of remote work, whether it was during the height of the pandemic or now in the midst of the hybrid work...

What's New in SQL Server 2022 – Licensing Updates

SQL Server 2022 is now generally available and with it come some licensing changes you need to be aware of. Microsoft also announced that SQL Server...

Azure Modernization Assessment: Building a Robust Cloud-Ecosystem Starts Here

The pandemic may have accelerated the cloud journey trend, but cloud momentum isn’t slowing down anytime soon. Cloud adoption increased 25% in the...