pwsh..Password Mgmt

Password Not Expire

Searching All

get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } |  Select-Object DistinguishedName,Name,Enabled

Only enabled users

get-aduser -filter {Enabled -eq "true"} -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } |  Select-Object Name,samaccountname,DistinguishedName

Enable only, plus excluding HealthMailbox because it craps up the results

get-aduser -filter {Enabled -eq "true" -and Name -notLike "HealthMailbox*"} -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } |  Select-Object Name,samaccountname,DistinguishedName

Expiry

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -SearchBase 'OU=ServiceAccounts,OU=Datacenter,DC=coolDomain,DC=COM' –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | ` 
Select-Object -Property "SamAccountName","UserPrincipalName","Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | `
Sort-Object ExpiryDate
@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | Sort-Object ExpiryDate

Extend password expiration

Run the following command to reset the pwdlastset attribute to 0.

Set-ADUser -Identity username -Replace @{pwdlastset="0"}

Next run the command to reset the pwdlastset attribute to -1.

Set-ADUser -Identity username -Replace @{pwdlastset="-1"}  

IMPORTANT: You need to run both commands do not just set to -1 or it will not work correctly.