Get AD Computer Account Password Expiration Date With Age Data
Knowing the AD computer account password expiration date is of vital importance. Admins must have a solid idea of how often a scheduled machine password change occurs or if it occurs at all.
Table of Contents
This is mainly due to the fact that it is a key pillar in maintaining Active Directory security. On top of that, computers are the resource that allows users to perform their duties.
During the user login event, a computer-level verification also happens in the background. So if the DC rejects the computer, it is the users who are stuck and can’t access other AD resources that are on the domain.
Therefore, we use this writeup to guide administrators in determining when exactly a computer password was last set. Let’s start with the scripts.
How PowerShell Allows Admins to Check Computer Password Last Set Date
# Define colors $red = "Red" $yellow = "Yellow" $green = "Green" # Get the list of computers in the domain $computers = Get-ADComputer -Filter * -Property Name, PasswordLastSet, PasswordNeverExpires # Initialize result array $result = @() # Process each computer foreach ($computer in $computers) { $name = $computer.Name $passwordNeverExpires = $computer.PasswordNeverExpires $passwordLastSet = $computer.PasswordLastSet $daysToExpiry = 0 $status = "" if ($passwordNeverExpires) { $status = $red } else { # Calculate days to password expiry $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge $expiryDate = $passwordLastSet + $maxPasswordAge $daysToExpiry = ($expiryDate - (Get-Date)).Days if ($daysToExpiry -gt 30) { $status = $yellow } elseif ($daysToExpiry -le 30 -and $daysToExpiry -ge 0) { $status = $green } else { $status = "Expired" } } # Add result to array $result += [PSCustomObject]@{ ComputerName = $name DaysToExpiry = $daysToExpiry Status = $status } } # Define a function to write colorized output function Write-ColorizedTable { param ( [Parameter(Mandatory = $true)] [array]$data ) # Print header Write-Host "ComputerName DaysToExpiry Status" -ForegroundColor White Write-Host "------------ ------------ ------" -ForegroundColor White # Print each row with respective colors foreach ($entry in $data) { $color = $entry.Status $output = "{0,-25} {1,-13} {2}" -f $entry.ComputerName, $entry.DaysToExpiry, $entry.Status switch ($color) { "Red" { Write-Host $output -ForegroundColor Red } "Yellow" { Write-Host $output -ForegroundColor Yellow } "Green" { Write-Host $output -ForegroundColor Green } default { Write-Host $output -ForegroundColor Gray } } } } # Call the function to display the results Write-ColorizedTable -data $result
This script displays a color-coded output of the computer password policy.
To export these results out of a view-only state,e you have to change the original script. If code bothers you, then you can very well go for the native script-free solutions on the Active Directory.
Traditional AD Resouces to View Machine Account Password Age
ADUC can not only locate the computer OU but also help to check the password expiration date as well:
- Launch ADUC instance.
- Click View on Main menu Ribbon > Toggle Advanced Features.
- Select the Computer object whose Last Password change date you want to see.
- Right-click> Properties > Attribute Editor > pwdLastSet.
Using Administrative Center
- Open ADAC > Click on Global Filter > Use LDAP (objectCategory=computer)
- Select the computer object > Go to Extensions> Attribute Editor > pwdLastSet.
However, the admin has to repeat these steps for each computer object. Which is too time-consuming so instead they can deploy an automated alternative.
Determine AD computer Account Password Expiration Frequency Professionally
The SysTools AD Reporting software is the key to finding the last date on which a machine password change happened. Admins can use the GUI to easily figure out how many computers are still on the default 30-day cycle similar to the one we used to find inactive computers in the Active Directory setup.
Apart from the password expiry category, the tool also has a password never expires filter. So admins can get the full data with just a few clicks. Every detail is visible within the dashboard, and admins can view and change the machine password policy in real-time.
As the tool can be operated remotely and reflects all changes in real-time, it acts as a useful assistant for administrators who want to determine the frequency of computer account password changes. Next up, we cover the steps that administrators need to perform to make the report.
Procedure to Get Active Directory Machine Account Password Last Set Date Via the Tool
Step 1. Launch the tool and use the prefilled “administrator” credentials to log in.
Step 2. Connect the Domain by clicking on the “Register Domain Controller” button.
Step 3. In the box, type in a Domain Friendly Name and Enter the IP address.
Step 4. Then go to the domain details page & perform the actual admin credential validation.
Step 5. Go to the Report tab Under Computers > Select Password Changed.
Step 6. Add a Date picker to define a timeline from which to pull the data.
Step 7. Click on the Preview button to see the machine password’s last set date.
Step 8. Select > Download > CSV > Choose a location to store the result.
Conclusion
Here we explain the AD computer account password expiration policy and the methods to check the last set date. Although Active Directory provides some methods, like the ADUC snap-in and PowerShell cmdlets, they are often confusing and lack repeatability. As an alternative, we introduced a professional and automated utility that brings out the machine password age in no time.