By now most of us are aware that Active Directory dates are not the easiest bits of data to deal with. Wrapping our heads around how AD stores and deals with dates is very interesting on an intellectual level, and equally infuriating on a productivity level. Accessing this data from PowerShell is a useful technique to master. If you have yet to dive deep into dates it is time.
Just one quick date scenario/comment in this post. In Working with the AccountExpires attribute in AD there is a strange experience that is not super intuitive. Not overly complex, just may have you shaking your head.
OK, so the attribute, associated with a user object, is the date that the account will expire. Makes sense so far.
If I need to access this information from PowerShell (imagine searching for all accounts that will expire in next 30 days) then it is also relatively straight forward.
If the account has the ‘accountexpires’ attribute switched from a date to ‘Never’ it is also pretty easy to understand. The date in the image below is relatively common. You will likely handle that in your script. But if you see that date it means the account is set to ‘Never’ expire.
The problem arises with a new account where that bit has never been modified. The value is the ‘accountexpires’ attribute is nonsense. You will have to handle it in your script. If the script does not handle the bad data, PowerShell throws an error at you, and then your troubleshooting begins. Many MVPs and the like have discussed this so it is relatively easy to find but at first glance it is a bit of an oversight for the cmdlets. I guess you can’t handle everything!
Spend some time learning about handling dates in PowerShell. It is an interesting exercise that at times has you scratching your head. Once learned though, it will be easy to handle.
Nice article Kevin.
There’s a very good article here that explains this well including some code: http://social.technet.microsoft.com/wiki/contents/articles/31135.active-directory-large-integer-attributes.aspx
I’ve been using this method in my scripts for a couple of years now with 100% success.
Cheers,
Jeremy
What I would like to see if not covered somewhere already is PowerShell dealing with the multi-variable of the Password Expiration field for local server accounts. I have an immediate need for a script that will also SMTP email the list of dates and accounts for all servers in an OU.
Here is how you get the object by itself “substitute $user”
get-aduser $user -Properties * | select @{Name=“AccountExpires”;Expression={[datetime]::FromFileTime($_.Accountexpires)}}
if you want more properties than just this one.. just add them to the end with a ,property2,property3,property4 as noted below:
get-aduser $user -Properties * | select @{Name=“AccountExpires”;Expression={[datetime]::FromFileTime($_.Accountexpires)}},Samaccountname,Description
So does this script work for extracting the info for accountexpire attribute if it set to never?
This was a good article and lead me in the right direction, but didn’t quite address my issue. Some users expiration dates had never been touched and they were producing only blanks in my particular script. I overcame that by simply replacing any blank result to a specific value. Other accts that had expiration dates past or future were handled correctly in the script already.
$expiry = Get-ADUser -Identity $usersam -Properties accountexpirationdate | select -expandproperty accountexpirationdate
if ($expiry = ” “) {set-variable -name expiry -value “No expiration date”}
I already had a provision in the script to add X number of days to the current date and do a compare date for each user.
The compare function
($expiry) -lt (get-date)
would return (in this case) a True for expired and False for not. You could switch the true/false values for your situation by replacing -lt (less than) with -gt (greater than).
Hi,
Can you please suggest me query how to extract AD users based on the account expiry date range,
i.e, the list of user whos account is going to expire between 23rd dec to 4th jan.
Please asap.
Regards,
QWERTY
Is there any possibility that I get Account expired at a particular date and AD will Add time in it? Like- If my Account Expires at end of 4th Feb, AD will add 10 hours in it and my New Expiry will become 5th Feb 10 AM .Is there any configuration available in AD?
Thanks for the descriptions just helped me exporting and converting the date
AccountExpires is set to [int64]::maxvalue by default. You can’t convert it to datetime, but it will be larger than any real expiration date for comparisons.
(get-aduser js2010 -Property accountexpires).accountexpires
9223372036854775807
[int64]::MaxValue
9223372036854775807