Using AD Filters with Cmdlets (Part 4)

by Aug 3, 2018

In the previous tip we started to look at how cmdlets from the ActiveDirectory module (part of the free RSAT tools) can filter results, and looked at combining filter expressions. Today let’s look at how to deal with date and time

Some AD attributes contain date and time information, such as the date of last login. This type of information is represented as a very long 64-bit integer. You can use date and time in your LDAP filter as long as you use this format.

For example, to find all users that did not changed their password within the last 4 weeks, here is how you can find them:

$weeks = 4
# first, find out the AD time format from
# 4 weeks ago that will be used in the LDAPFilter

$today = Get-Date
# 4 weeks ago
$cutDate = $today.AddDays(-($weeks * 7))
# translate in AD time format
$cutDateAD = $cutDate.ToFileTimeUtc()

# next, find a way to convert back the AD file format
$realDate = @{
  Name = 'Date'
  Expression = { if ($_.pwdLastset -eq 0)


Get-ADUser -LDAPFilter "(pwdLastSet<=$cutDateAD)" -Properties pwdLastSet | 
  Select-Object -Property samaccountname, $realDate

Essentially, when you call ToFileTimeUtc() on a DateTime object, you get back the AD format. Likewise, when you run [DateTime]::FromFileTimeUtc(), you convert an AD format to a real DateTime.

Twitter This Tip! ReTweet this Tip!