Windows Password Expirations
-
Happy Friday everyone, I've been racking my brain on this one. This week I've had many users need password resets out of nowhere. They weren't notified or reminded. When I run a "net user USER /domain" in an elevated command prompt, I get different results than when I run a Get-AdUser command in PowerShell on a domain controller. Am I missing something? Why are there two accounts/passwords it looks like?
Any guidance is much appreciated, and please let me know if you can't see the screenshot I copied. Thank you!
-
@Brian-Fischer , I will see if I can recreate this and provide a solution or point you in the right direction.
-
@Brian-Fischer there does seem to be some differences in which attributes are being checked when using net use and Get-ADUser. Some of these attributes are not synchronized between domain controllers. Here see if this helps:
https://superuser.com/questions/1625774/net-user-information-vs-get-aduser -
@wes-bryan thank you very much. When I take the command from the site you provided:
Get-ADUser justin.dermont -properties 'LastLogonDate','LastLogon' |
Select *,@{Name = 'logonDate'; Expression = { [DateTime]::FromFileTimeUtc( $_.LastLogon ).ToLocalTime()}}On one domain controller, I receive a logonDate of 8-11-23 and on another domain controller I see 12-31-1600.
-
LastLogon is a "per domain controller" value. It shows the last time the user authenticated on that specific DC. When you see 12-31-1600, it is equivalent to "never". You really need to be looking at the lastlogontimestamp. Or, you can query lastlogon across every DC in the domain and then look for the latest date.
-
@Brian-Svidergol thank you. That makes sense. I'm trying to figure out the most accurate way to get a list of password expirations, so I can remind certain users to reset their password so they don't get locked out. That is why I initially put this comment in and am trying to dig deeper. It almost seems like our domain controllers aren't syncing correctly.
-
How could the lastLogon and lastLogonTimestamp be a week off?
I have user who has the following:
lastLogon: 9-21-23
lastLogonTimestamp: 9-15-23