mag72

Find Password Expiration Date for Active Directory Users [ PowerShell & Free Tools ]

Find Password Expiration Date for Active Directory Users

Marc Wilson

The Password Expiration Date is often one of the most common issues among Active Directory domain users.

Users have to deal with so many passwords at the same time that they often forget to reset them before they expire.

So, what happens when a password expires in Active Directory?

The account will not be locked, but the user will have to change the password before they can access domain resources.

To deal with these inconveniences, the users or, in most cases, the AD domain administrator can get the user account expiration date and other important details.

Let's go through two distinct methods: getting the password expiration date of a single Active Directory user account and then also take a look at how to get an entire list of all users at once.

Checking Password Expiration Date with the Net User command

A really easy way to tell when an AD user account password expires is to use the Net User command.

This command is part of the “net commands” that allows you to add, remove, or modify the user account on a computer.

To run “net user,” you need to open the command line interface “cmd” for Windows:

  • Open the search bar and type “cmd” or press the “Windows logo + R” keys to open the Run utility, and type “cmd.”
  • On a command prompt, use the “net user” with the following additional parameters:
    net user [username] [/DOMAIN] , where:

    • [username]: Determines the name of the user account.
    • /DOMAIN: Shows information on the user name account running on the particular domain controller.
    • To learn more about the syntax of the command, you can use the “net user /?” command.

    net user command

    • The following screenshot shows an example.
      With the command “net user test01 /domain,” we can see the password information for the user test01 for local domain TEST.local.

    net user test01:domain

    • Aside from only seeing the password expiration date, you can also see other handy information, such as when the last password was set, when the password can be changed, whether users can change the passwords and more.

    List of all AD Users Passwords Expiration Dates with PowerShell

    The “net user” command can only be helpful for a single user.

    But to get the account and password details for all AD user accounts, you need to run a line of PowerShell code.

    There is an Active Directory constructed attribute named “msDS-UserPasswordExpiryTimeComputed,” which can help you get the AD accounts and their password expiration time.

    To start, make sure that you have the PowerShell ActiveDirectory module installed and running.

    This module allows you to display valuable information stored in AD objects, which includes password settings, expiration date, last time changed, etc.

    1. Download, Install and Load the RSAT (Remote Server Administration Tools). If it is not already installed, you can follow Microsoft’s Tech guide.
    2. Make sure that the PowerShell feature is already running.
      Press the “Windows logo + R” keys to open the Run utility, and type “Windows PowerShell”.
    3. Using the attribute, “msDS-UserPasswordExpiryTimeComputed,” you can easily get the password expiration date for a single user, with:
      Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed'
    4. But this line of code will result in a human unreadable output, so you would need to add the following line to convert the results into a readable format.
      {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}list user password expiration powershell
    5. Running the same attribute “msDS-UserPasswordExpiryTimeComputed,” with the right filter, you can get a list of Active Directory accounts and their password expiration times.

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
    Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

    Source code from TechNet Microsoft.expiry date ad user

    Free Tools & Utilities

    See also: Best Active Directory Monitoring Tools

    Further reading: Windows PowerShell Commands Cheat Sheet

    After you found the user password expiration dates, there are a couple of free tools that can help you manage all Active Directory user accounts and computers.

    Manage Users and Keep the AD domain clean

    SolarWinds Admin Bundle for AD – 100% Free Download

    The free SolarWinds Admin Bundle for Active Directory comes with three tools that help you manage AD accounts and computers.

    With this bundle, you can find and remove inactive user accounts and computers, and import users in bulk.

    SolarWinds Admin Bundle for Active Directory

    The bundle consists of the following tools:

    • Inactive User Account Removal Find accounts that have never been logged in, used, or have been inactive for a long time. You can export the list and remove all inactive AD accounts.
    • Inactive Computer Removal Find inactive computers, export the list, and remove them.
    • Import Users in Bulk Create AD user accounts in bulk from a CSV or XLS file. You can also create AD accounts and Exchange Mailbox in bulk and simultaneously.

    Download:

    This Tool is 100% FREE for LIFE from their website – We Suggest you download it today Here SolarWinds Admin Bundle for Active Directory and keep your AD domain clean.

    Download 100% Free!

    Automating AD User Password Expiration Notification

    Another recommended tool is Lepide Auditor.

    Lepide Auditor

    This tool comes with a handy feature that automatically reminds Active Directory users when their password is about to expire.

    Lepide Auditor helps to automate password accounts management by getting the information directly from AD. It creates a report and notifying users via Email when their AD password expires.

    Download:

    Lepide Auditor offers a fully functional free trial for 15 days.

    Conclusion

    There are two simple methods to get Active Directory users password expiration date, the Net User command, and a PowerShell attribute:

    1. The Net User command method is used to get the password expiration date for a single user. For this method, you would also need to access the AD user account or have a user run it from their machine.
    2. The PowerShell command is more powerful and easier to run, as long as you have the PowerShell AD module installed, you can copy/paste the one-line code and get a full list of all the users with their expiration date.

    There are also some tools like the free SolarWinds Admin Bundle for Active Directory which helps you keep your AD clean and automate user accounts creation.

    The other useful tool is the commercial software Lepide Auditor, which can help you automate AD password expiration notifications.

    Password Expiration FAQs

    Can Active Directory send email when password expires?

    Active Directory can be set up to notify users when their passwords are about to expire. However, this will appear as a system notification and only when the user logs in to the corporate network. It is possible to use a PowerShell script to detect upcoming expiration and generate an email to each user. However, there is no automated process for this action within Active Directory.

    How do I generate password expiration for a user in Active Directory PowerShell?

    Get a list of AD user accounts and their expiration dates with the following PowerShell script:
    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
    Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

    Can you see a user's password in Active Directory?

    No, an administrator cannot see a user’s password. However, it is possible to rest that user’s password. That mechanism would allow a rogue administrator to take control of an account.