Get-ADUser "msDS-UserPasswordExpiryTimeComputed" value empty

hello,

problem

when running following powershell script under normal user domain admin / enterprise admin rights no result on "expirydate" output:

get-aduser -filter {enabled -eq $true -and passwordneverexpires -eq $false} –properties "displayname", "msds-userpasswordexpirytimecomputed"|select-object -property "displayname",@{name="expirydate";expression={[datetime]::fromfiletime($_."msds-userpasswordexpirytimecomputed")}}

also when running following command: net user adm-xxx /domain following error:

c:\users\adm-xxx>net user adm-xxx/domain
system error 5 has occurred.

access denied.

workaround

when run the powershell or cmd window elevated permissions (run-as administrator) desired results. under built-in administrator accounts desired results. tried following solutions:

• disable uac on dc
• add user object groups built-in administrator in

nothing seems work..

what guys think? bug or expected behaviour.

with kind regards,

max

it seems has modified permissions on msds-userpasswordexpirytimecomputed attribute in ad. have no problem retrieving values attribute when logon normal domain user no special permissions or group memberships.

---

richard mueller - mvp directory services

Windows Server  >  Directory Services