You can use PowerShell to pretty much get anything you want out of Active Directory. Let’s say you want to see when the last time a user changed their password was. You can use the Get-ADUser commandlet to obtain any attribute for a user in the Active Directory schema. To use Get-ADUser, you’ll need to define a scope. In this example, we’ll do so using the -filter option and filter for everyone, using an *. That could be a lot of data, so we’re also going to look for the property, or attribute of PasswordLastSet using the -Properties option:
Get-ADUser –filter * -Properties PasswordLastSet
We can then add a little more logic and pipe the output to a conditional statement that just looks at who hasn’t ever changed their password.
Get-ADUser –filter * -Properties PasswordLastSet | Where { $_.passwordLastSet –eq $null }
A more common task, we could also look for the last 90 days, using “(get-date).adddays(-90)” in our filter. We don’t want to display disabled users, so we could do something like this (note the curly brackets allow us to compound search):
Get-ADUser -filter {(passwordlastset -le $90days) -AND (enabled -eq $True)}