Reading Password Age

by Feb 14, 2011

When you want to find out the password age of Active Directory accounts, you can use this piece of code:

function Get-PwdAge {
$filter = '(&(objectCategory=person)(objectClass=user))'

$root = New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE")
$searcher = New-Object System.DirectoryServices.DirectorySearcher $filter
$SearchRoot = $root.defaultNamingContext
$searcher.SearchRoot = "LDAP://CN=Users,$SearchRoot"
$searcher.SearchScope = 'SubTree'
$searcher.SizeLimit = 0
$searcher.PageSize = 1000
$searcher.FindAll() | Foreach-Object {
$account = $_.GetDirectoryEntry()
$pwdset = [datetime]::fromfiletime($_.properties.item("pwdLastSet")[0])
$age = (New-TimeSpan $pwdset).Days

$info = 1 | Select-Object Name, Age, LastSet
$info.Name = $account.SamAccountName[0]
$info.Age = $age
$info.LastSet = $pwdset
$info
}
}

It will return the first 1,000 users in your AD. As such, you may want to fine-tune $filter and include more filter criteria to limit the results to specific users.

Twitter This Tip!
ReTweet this Tip!