PowerShell and AD show different user expiration date

active-directorypowershellwindows-server-2012

After running:

Set-ADUser username -AccountExpirationDate "05/18/2017 7:00:00 PM"
Get-ADUser username -Properties AccountExpirationDate

I get this in PowerShell: AccountExpirationDate: 5/18/2017 7:00:00 PM

But user properties shows that the account expires on 5/17/2017.

What causes this?

PowerShell Output

AD Property Settings

Best Answer

Take a test user, and use the MMC GUI to set an account expiraton. Then use Get-adUser to look at the value that is set.When you make GUI choice of 5/19/2017 the Get-Aduser returns 5/20/2017 12:00:00 AM

Notice how the GUI says "End Of" and does not give you a time choice, only date. The "End of" day X here is 0 hundred hours of the next day. Also, date/time properties in AD are always UTC times, and GUI tends to adjust for local time zone offset. https://msdn.microsoft.com/en-us/library/ms675098(v=vs.85).aspx

You can calculate the equivalent GUI choice in powershell with

((get-date "5/19/2017").addDays(1)).toUniversalTime()

Related Solutions

Powershell – Using Powershell to change user properties in XP

The simplest way is to direct ADSI queries to the local WinNT provider - that will return local objects on the system you are interested in. These can be local or remote systems but this will attach to the local account and security objects rather than the AD.

$user = [ADSI]"WinNT://joe-pc/joe"

With that you can then query and modify properties of the $user object.

To set the "Password Doesn't expire" Flag you need to set the relevant flag in the UserFlags attribute. You can find a useful table of these at Motobit here.

To forcibly set Joe's account password from the above example to never expire:

$Never_Expire=0x10000
$user.UserFlags.value=$user.UserFlags.value -bor $Never_Expire

Modifying group memberships is a bit more involved but Microsoft's PowerShell Guy has a step by step walk though for adding Domain User accounts to a Local Group on a system which I think is exactly what you need.

Powershell – List _all_ AD user properties with powershell

There are lot of system properties that might make the exercise you are thinking of less than useful due to a significant amount of extraneous data. Perhaps you could use AD Explorer to identify the attributes that look interesting and use the -Properties parameter to retrieve them for all users.

When you retrieve a user object in AD, it only returns back a subset of the object attributes. You can use the -Properties parameter to force get-user to retrieve other properties. For example: get-aduser jjohnson -Properties pwdlastset would add pwdlastset to the list of properties normally retrieved by get-aduser for the user jjohnson.

Best Answer

Related Solutions

Powershell – Using Powershell to change user properties in XP

Powershell – List _all_ AD user properties with powershell

Related Topic