HowTo Check When Password Expires In AD [ Powershell & CMD ]

While working on a windows environment, Password Expiration is one of the most common issues that domain users face when logging in due to password group policies.

By default, the Windows domain user account is configured to expire passwords after a specific amount of time-based on the group policy and every user will be notified 2 to 3 weeks prior to the password expiring.

If you miss this notification and don’t change your password, your account will be Locked Out.

As a System Administrator, you will need to keep track of all user accounts and their expiration dates and you will most likely need to update passwords at regular intervals for security reasons.

To prevent users from getting locked out, you should prepare a list of all user accounts along with when the password was last set and when the password will expire next.

Lucky for you, there is an easy way to find all of this information using PowerShell.

In this tutorial, we’ll show you how to check password expiration dates in Active directory with PowerShell.

Check User Password Expiration Date with Net User Command

You can display detailed information of a specific users’ Password Expiration using the following syntax:

net user USERNAME /domain

For example, to display the password expiration information of the user “hitesh” run the following command in the PowerShell:

net user hitesh /domain

Example:

The above command will display user account information such as when the password was last set, when the password expires, and so on.

If you want to filter the output from the above command and display only password expiration dates, then you can use the find command in conjunction with the net user command as shown below:

net user hitesh /domain | find "Password expires"

Example:

Check All User Password Expiration Date with PowerShell

You can also display all user password expiration dates using PowerShell.

For example, to find the Password Expiration Date of all users in your Domain, you can run the following command:

get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

Example:

If you want to display the expiration date rather than the password last set date, run the following command:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Example:

Check All User Password Expiration Date with PowerShell Script

If you want to check password expiration dates in Active Directory and display password expiration dates with the number of days until the password expires, you can achieve this by creating a PowerShell script.

You can create the PowerShell script by following the below steps:

1. Open your notepad and add the following codes:

Import-Module ActiveDirectory $MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days $expiredDate = (Get-Date).addDays(-$MaxPwdAge) #Set the number of days until you would like to begin notifing the users. -- Do Not Modify -- #Filters for all users who's password is within $date of expiration. $ExpiredUsers = Get-ADUser -Filter {(PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet $ExpiredUsers

2. Click on the Save as option to save the file.

3. Type a name for the script as user_list.ps1.

4. Click on the Save button to save the file.

Right click on the PowerShell script and click on the Edit button as shown below:

Now, click on the Green arrow button to run the script.

You should see the following screen if it ran successfully:

Use ManageEngine ADSelfService Plus

A simpler option is to use an advanced tool called the ManageEngine ADSelfService Plus that allows users to reset their passwords, without requiring the help of IT technicians. It automatically connects with AD and prompts users to change their passwords when they are about to expire. This tool is easy to use, and almost any employee can change their password within minutes. As a result, IT administrators are freed from the burden of regularly checking password expiration and updating them as needed.

More importantly, it generates reports that inform administrators which passwords were changed and when. These reports boost security and help with auditing and compliance. All these features together save time and effort for administrators while increasing the Return on Investment (ROI) for organizations. At the same time, it provides more control to employees over their passwords and security.

Download this tool to start a 30-day free trial.

ManageEngine ADSelfService Plus Start a 30-day FREE Trial

Conclusion

Congratulations!

You are now able to get an Active Directory user account password expiration date using several methods including using the command line and using Powershell!

There are also a number of tools that offer automated password expiration reminders – see this list of free Active Directory tools.