Anyway, the date when the computer account password was last set is stored in an AD attribute called pwdLastSet. It's stored as a large integer (Intt64) and represents the number of 100-nanosecond increments since midnight, Jan 1st, 1601, a huge number. The idea is to figure out how many days have elapsed between the stored date and today, giving the age of the password. I've shown you how to do this with Perl in the article: Find Old Computer Accounts using Perl.
Boy is it a heck of a lot easier to do in PowerShell! The big difference is that .Net handles the conversion from a large integer to a date in one call, and PowerShell has some date match functions that make it easy to compare the dates. There's a bunch of code in the Perl version just to figure out how many days have passed since Jan 1, 1601, including how many leap years and all that nonsense. PowerShell's New-TimeSpan cmdLet does that for you. Sweet.
This script searches for computer accounts in Active Directory, gets the pwdLastSet attribute, converts it to a date and calculates the difference, in days, between then and now. It then returns the name of the computer and the password age in days, if it's older than 60 days.
- Backup DFS Namespaces Using PowerShell
- Translate Active Directory Name Formats Using PowerShell
- List Linux Users in Active Directory Using PowerShell
- Enable Trust for Delegation in Active Directory Using PowerShell
- TCP/IP Subnet Math with PowerShell - What AD Site is that Server in?
- List Sites and Subnets in Active Directory with PowerShell
- Find Disabled Users in Active Directory with PowerShell
- List Forest-wide Group Memberships with PowerShell
- Find Old Computer Accounts in AD with PowerShell
- List SPNs in Active Directory with PowerShell
- List Domain Controllers in Active Directory