User accounts set to expire

Use the following PowerShell to find User's expiration status & dates.

The Attribute:

The LDAP attribute we are interested in here is "AccountExpires". This field contains a time string formatted in NT Epoch time. (See "Accounts that will Expire" below to convert it.)

You can use the following PowerShell to select it:
Get-ADUser -Identity "JHeisler" -Properties ("AccountExpires")

Accounts set to "Never" expire:

If the "AccountExpires" attribute contains "9223372036854775807" or "0" that indicates that the user's account is set to never expire.

Accounts that will expire:

If an account is set to expire, (i.e. "AccountExpires" attribute does not contain "9223372036854775807" or "0") We can convert it using w32tm.exe with the /ntte [AccountExpires] argument. See Below:

Lets say the "AccountExpires" attribute contains 133002945050000000. We can convert this to a readable date using the following command:

w32tm.exe /ntte 133002945050000000

Witch will output:
 
153938 14:15:05.0000000 - 06/21/2022 10:15:05

So we can see this user account will expire on 6/21/2022 at 10:15

Function to Set expiration to 90 Days from current date:

Needed to write this for My work, thought I'd share it. Its basically the Set-ADAccountExpiration with some extra logic.

Comments

Post a Comment

Popular posts from this blog

Create Profiles for Managing Microsoft Exchange using Windows Terminal (Online and On-Prem)

Image
I use Windows Terminal a lot and I wanted to show off how I setup Exchange Management profiles to make my life easier. Enjoy! Exchange Online: In Windows Terminal, go to "Settings" and click "Add a new profile" at the bottom. Give it a name you like, and in the "Command line" field, Paste the following: powershell.exe -NoExit -Command "Import-Module ExchangeOnlineManagement; Connect-ExchangeOnline -UserPrincipalName user@contoso.com"  Make sure to replace the UserPrincipalName property with your own. On-Prem Exchange: In Windows Terminal, go to "Settings" and click "Add a new profile" at the bottom. Give it a name you like, and in the "Command line" field, Paste the following: powershell.exe -NoExit -Command "$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://exchange.domain.com/powershell/; Import-PSSession $Session -DisableNameChecking"  Make sure to replace the Connecti...
Read more

Give a User 'SendAs' permssions to a Mail-Enabled AD Group in Exchange Online

Image
Really specific situation I know, but this took me an embarrassing amount of time to figure out. Thankfully, its pretty simple. Just use the 'RecipientPermission' cmdlets: Add-RecipientPermission -Identity GROUP -Trustee USERNAME -AccessRights SendAs Where GROUP is the 'samAccountName' or 'Primary Email' of the group you want to allow the user to send as and USERNAME is the 'samAccountName' of the user. You can also use the following to see who already has 'Send As' permissions for the group Get-RecipientPermission -Identity GROUP Example:
Read more

Get a User's Active Directory Groups

Problem: You need to list out a User's AD Groups quickly and in a way you can copy and paste them. Solution: So we can use the Get-ADUser cmlet with the "Properties" parameter specifying "Member Of" to get a list of AD Groups. The issue is the groups are formatted as distinguished names which are not very easy to read. PS C:\Users\jheisler> (Get-ADUser -Identity "jheisler" -Properties "MemberOf").MemberOf CN=ITTeam,OU=O365,DC=johnjheisler,DC=com CN=ACL-ITDevOps,OU=Security Groups,OU=Groups,DC=johnjheisler,DC=com Thankfully, All we need to do to overcome this is pipe the Get-ADUser cmdlet into a Get-ADGroup cmdlet. Then we can specify the "Name" property off the AD Group objects. PS C:\Users\jheisler> ((Get-ADUser -Identity "jheisler" -Properties "MemberOf").memberof | Get-ADGroup).Name ITTeam ACL_ITDevOps That's it. A quick and clean way to list a user's AD Groups. https://github.com/Snowstuff123/Po...
Read more