view raw
Arbelac Arbelac - 9 months ago 56
PowerShell Question

Account expiry dates or account Never expire for all AD users

While I am running the below command getting

is blank.

Is it possible to get the 'Never expire' instead of blank in

Import-Module ActiveDirectory
$Groups = Get-ADGroup -filter {Name -like "SSL_VPN_LOSTAR_Users" } | Select-Object Name
ForEach ($Group in $Groups) {
Get-ADGroupMember -identity $($ -recursive |
Get-ADUser -Properties samaccountname,mail,AccountExpires |
select samaccountname,mail,@{l="expiration_date";e={[datetime]::fromfiletime($_.accountexpires)}} |
Export-csv -path C:\SSLVPN\SSL_VPN_LOSTAR_Users.csv -NoTypeInformation


The problem is probably when the account never expires the value of AccountExpires is the max. int64 value which results in an ArgumentOutOfRangeException when calling [datetime]::FromFileTime for it.

Therefore try the following - I introduced the helper function accountExpiresToString for better readability of the expression script block but you can pack the function's code directly within the script block if you prefer that.

function accountExpiresToString($accountExpires) {
    if (($_.AccountExpires -eq 0) -or 
        ($_.AccountExpires -eq [int64]::MaxValue)) {
        "Never expires"
    else {

Import-Module ActiveDirectory
ForEach ($Group in $Groups) {
  Get-ADGroupMember ... | 
    Get-ADUser -Properties ...,AccountExpires | 
    Select-Object @{l="expiration_date";e={ accountExpiresToString($_.AccountExpires)}} | 
    Export-Csv ...

Update: If of interest, here is a page on MSDN describing that 0 and 0x7FFFFFFFFFFFFFFF ([int64]::MaxValue) indicates an account that never expires.