Get-ADUser returns empty value for Active Directory attribute msDS-UserPasswordExpiryTimeComputed

Today I wrote a script for a customer of mine to send emails to remote users that their password will expire in 10 days or less and they have to change it. To get the Information when the Password of a user will expired I used the PowerShell cmdlet Get-ADUser and received the AD property ‘msDS-UserPasswordExpiryTimeComputed’:

$users = Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $false} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed", "UserPrincipalName", "GivenName", "SN", "Mail" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, "UserPrincipalName", "GivenName", "SN", "Mail" | Sort DisplayName

This worked on the Domain Controller but not on the Exchange Server so I was wondering why. After some tests I found the reason: On the Domain Controller I used a domain administrator to execute the PowerShell cmdlet, on the Exchange server I was using a standard scheduled task user with only local administration rights. So I granted the task user the permission to read the property in the Active Directory Users and Computers console:

  1. Open Active Directory Users and Computers console
  2. Right click the domain and select “Properties”
  3. Switch to the “Security” tab and add the task user with read permission
  4. Select the task user and click on ‘Advanced’
  5. Find the Task user in the list, mark it and click on ‘Edit’
  6. Select ‘Descendant User objects’ in the ‘Apply to’ drop down and switch to the ‘Properties’ tab
  7. Scroll down the list and make sure that the option ‘Read msDS-UserPasswordExpiryTimeComputed’ is allowed
  8. Click on OK and leave the Dialogs

After the change my task user was able to read the property and the script showed me the time the Password will expire.

Leave a Reply

Your email address will not be published. Required fields are marked *