Net User $userName /domain

Question

I am trying to create a module for our support team which will contain some tools we use on daily basis but we used CMD until now.

One of the commands we use is net user $username /domain in order to check if the user's password has expired and all the other useful details the command output.

I tried to put that command in a function like this:

function Get-UserDetails {
    [CmdletBinding()]
    Param(
        [Parameter(Mandatory=$true)]
        [string]$UserName
    )
    net user $UserName /domain
}

The function works fine but I want to filter the output for a few details only. The problem is that net user is not a PowerShell cmdlet and it has no properties so I cant select any of it.

So my questions is:

Do you know a better way to get all that data in one command? because the Get-ADUser outputs less data then net user.

Use `-Properties` with `Get-ADUser` and specify the additional properties you want to see. — Bill_Stewart, Jul 13 '18 at 20:08
I tried, but Get-ADuser properties does not have the Password Expires property — RoyW, Jul 13 '18 at 20:18
A search for `get-aduser password expiration date` didn't turn up anything useful? — Bill_Stewart, Jul 13 '18 at 20:34
@RoyW `Get-ADUser *User* -Properties *` will show you every single properly pertaining to a user that AD has to offer — Clayton Lewis, Jul 13 '18 at 20:40
`-Properties *` may not show this one. The required property for password expiration date is `msDS-UserPasswordExpiryTimeComputed`, does not enumerate for me when I use `-Properties *`, but I can absolutely specify `-Properties msDS-UserPasswordExpiryTimeComputed` and have it return on any resulting `ADUser` objects. — codewario, Jul 13 '18 at 20:46
(But @BendertheGreatest - I was trying to nudge the OP in the right direction (teachable moment) instead of just handing over the answer.) — Bill_Stewart, Jul 13 '18 at 20:52
I get that, but in this case the correct answer wouldn't enumerate with that command. And to be honest I'm really not sure why that attribute is omitted from `-Properties *` — codewario, Jul 13 '18 at 20:54

codewario · Answer 1 · 2018-07-13T21:34:27.767

You can use Get-ADUser and pick the msDS-UserPasswordExpiryTimeComputed property from it. Problem is - this property may not enumerate even when using -Properties *, so it might not be apparent when trying to inspect the returned object. To make matters even better, the timestamp is not in a human-readable format.

Nonetheless, you can get the password expiration date fromthe AD cmdlets and also make it human-readable as follows:

# Get ADUser
$user = Get-ADUser username -Properties msDS-UserPasswordExpiryTimeComputed

# Get expiry timestamp and convert it from file time format
$userCredExpiryDate = [DateTime]::FromFileTime( $user.'msDS-UserPasswordExpiryTimeComputed' )

Here is the MSDN documentation for that AD DS attribute.

For other field values that show up in net user /domain but not in Get-ADUser - there should be other AD DS attributes you can search on if they don't show up with -Properties *. For these you will need to look for the appropriate property in the AD DS documentation.

UPDATE: Someone linked me to this page on another question (related to this behavior) and this seems to list additional properties that are available for processing, but are not returned when trying to look at "all" AD DS properties on an object. I don't know how complete this list is but it is a good starting point for understanding what additional AD attributes you have to work with.

Net User $userName /domain

1 Answers1