FUNctions: Episode VII , The Password Expiry Awakens

Man, these Star Wars themed titles are getting rough…

On this episode of FUNctions, let’s talk about password expiration. With the holidays coming up, nothing is worse than your tier 1 support getting bombarded with last minute password changes. In my use case, I’m getting users stating “I’m going on vacation X through Y, will my password expire while I’m out.” I’m tired of doing the math, so let’s automate it. Also, let’s automate this without converting datetime formatted values into integers and back again. The less math, the better!

Let’s make a simple function to tell us exactly when a password will expire based on our password policy (set by Group Policy), and tell us how many days the end user has left until expiry. While this is able to alleviate my annoyances, it can also be used as a building block for many other password expiration tools – for example: email notifications for upcoming expiry.

TL;DR >>> Available on GitHub

Section 1 | F is for Function

Let’s not waste any time. Peep the code below and then read the follow up explanation:

function Get-PasswordExpiration {
    param (
        [string] $User,
        [int] $ExpirationDays = 90 ### change this value accordingly
    )

    $ADUser = Get-ADUser -Identity $User -Properties PasswordLastSet, UserPrincipalName
    $NextExpiry = (Get-Date  -Date $ADUser.PasswordLastSet).AddDays($ExpirationDays)
    $DaysUntilExpiry = (New-TimeSpan -Start (get-date) -End $NextExpiry).Days

The big kicker here is the $ExpirationDays variable. Assign this an integer value according to your password expiration policy that you have set via Group Policy. With that value set, we’re able to get the expiry date via the line of code for the $NextExpiry variable. To break it down, we’re getting the PasswordLastSet property from our AD User and adding X amount of days to that datetime value.

I found a cool new cmdlet called New-TimeSpan that calculates the distance of time between a start and end date. Let PowerShell do the heavy lifting in terms of calculations between datetime values. There’s no need to convert the values to integers and back!

Now, once you have the $DaysUntilExpiry value set, let’s do some boolean logic. This is where you are free to break off and build your own tools with this logic.

   if($DaysUntilExpiry -ge 21) {
        Write-Host "User: $($ADUSer.UserPrincipalName) | Password Expires in $DaysUntilExpiry days on $($NextExpiry)" -ForegroundColor Green
     }
     elseif($DaysUntilExpiry -ge 7) {
        Write-Host "User: $($ADUSer.UserPrincipalName) | Password Expires in $DaysUntilExpiry days on $($NextExpiry)" -ForegroundColor Yellow
     }
    Else{
        Write-Host "User: $($ADUSer.UserPrincipalName) | Password Expires in $DaysUntilExpiry days on $($NextExpiry)" -ForegroundColor Red
    }
}

Since I run this from my terminal, I just made some silly Write-Host outputs, but I feel that we can make this way more powerful.

Section 2 | Cliffhanger

Add this function to your custom module, or build upon it. There’s so much that we can do around password expirations now that we have the logic broken down like sending an expiration notification via email….

Remember, kids:

This project is provided “as is” without any warranty of any kind, express or implied. Use it at your own risk. The authors and contributors are not responsible for any damage, data loss, or other issues that may arise from using this software. You are solely responsible for any actions taken based on this code.