By now most of us are aware that Active Directory dates are not the easiest bits of data to deal with. Wrapping our heads around how AD stores and deals with dates is very interesting on an intellectual level, and equally infuriating on a productivity level. Accessing this data from PowerShell is a useful technique to master. If you have yet to dive deep into dates it is time.
Just one quick date scenario/comment in this post. In Working with the AccountExpires attribute in AD there is a strange experience that is not super intuitive. Not overly complex, just may have you shaking your head.
OK, so the attribute, associated with a user object, is the date that the account will expire. Makes sense so far.
If I need to access this information from PowerShell (imagine searching for all accounts that will expire in next 30 days) then it is also relatively straight forward.
If the account has the ‘accountexpires’ attribute switched from a date to ‘Never’ it is also pretty easy to understand. The date in the image below is relatively common. You will likely handle that in your script. But if you see that date it means the account is set to ‘Never’ expire.
The problem arises with a new account where that bit has never been modified. The value is the ‘accountexpires’ attribute is nonsense. You will have to handle it in your script. If the script does not handle the bad data, PowerShell throws an error at you, and then your troubleshooting begins. Many MVPs and the like have discussed this so it is relatively easy to find but at first glance it is a bit of an oversight for the cmdlets. I guess you can’t handle everything!
Spend some time learning about handling dates in PowerShell. It is an interesting exercise that at times has you scratching your head. Once learned though, it will be easy to handle.