# PSPwdLastSet.ps1 # PowerShell script to retrieve password information for a user. # This includes the date the password was last set, the domain maximum # password age policy, and whether the user can change their password. # # ---------------------------------------------------------------------- # Copyright (c) 2011 Richard L. Mueller # Hilltop Lab web site - http://www.rlmueller.net # Version 1.0 - March 23, 2011 # # You have a royalty-free right to use, modify, reproduce, and # distribute this script file in any way you find useful, provided that # you agree that the copyright owner above has no warranty, obligations, # or liability for such use. Trap {"Error: $_"; Break;} # Specify the user in Active Directory. $User = [ADSI]"LDAP://cn=Jim Smith,ou=West,dc=MyDomain,dc=com" # Retrieve user Distinguished Name. $DN = $User.distinguishedName "User: $DN" # Retrieve Domain maximum password age policy, in days. $D = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() $Domain = [ADSI]"LDAP://$D" $MPA = $Domain.maxPwdAge.Value # Convert to Int64 ticks (100-nanosecond intervals). $lngMaxPwdAge = $Domain.ConvertLargeIntegerToInt64($MPA) # Convert to days. $MaxPwdAge = -$lngMaxPwdAge/(600000000 * 1440) "Domain Max Password Age (days): " + '{0:n3}' -f $MaxPwdAge # Retrieve user password settings to check if password can expire. $UAC = $User.userAccountControl $blnPwdExpires = -not (($UAC.Item(0) -band 64) -or ($UAC.Item(0) -band 65536)) "Can Password Expire?: $blnPwdExpires" # Retrieve value of pwdLastSet attribute of user. $PLS = $User.pwdLastSet.Value # Convert to Int64 ticks. $lngValue = $User.ConvertLargeIntegerToInt64($PLS) # Convert to date. $Date = [DateTime]$lngValue If ($Date -eq 0) { $PwdLastSet = "" } Else { $PwdLastSet = $Date.AddYears(1600).ToLocalTime() } "Password Last Set (local time): $PwdLastSet" # Determine if user password is expired. $blnExpired = $False $Now = Get-Date If ($blnPwdExpires) { If ($Date -eq 0) { $blnExpired = $True } Else { If ($PwdLastSet.AddDays($MaxPwdAge) -le $Now) { $blnExpired = $True } } } "Password Expired? $blnExpired"