Working with dozens of different customers, I have seen this request come up a lot, so I came up with a few ways to collect this information and you can modify and run with your own version as required.
Many groups I have worked with have asked for lists of users whose passwords were on the verge of expiring. Here a few of the most common methods I have shared with them:
To get a list of users in an OU whose passwords are older than 30 days, try this in PowerShell. Add desired return fields to the select section as desired:
Get-ADUser -SearchBase "ou=targetou,dc=domain,dc=com" -filter * -Properties * | select Displayname, PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).AddDays(-30)}
If you have a list of login names in a text file for users scattered throughout the directory, you can try this:
Get-Content .\users.txt | ForEach-Object {Get-ADUser $_ -Properties * | select Displayname, PasswordLastSet} | Where-Object {$_.PasswordLastSet -lt (Get-Date).AddDays(-30)}
Sometimes, you get a list of "user names" that is actually a list of email addresses, in which case you can try this (and you can choose your own attribute filter if needed):
Get-Content .\emailaddress.txt | ForEach-Object {Get-ADUser -Filter {EmailAddress -eq $_} -Properties * | select SamAccountName, DisplayName, PasswordLastSet, EmailAddress} | Where-Object {$_.PasswordLastSet -lt (Get-Date).AddDays(-30)}
That should be a good jumping off point. Enjoy!!
"I have the POWER!!" (guess...)
- Peter Trast, MCITP EA, MCITP DBA, MCT LinkIn with Peter