mag72

Find Password Expiration Date for Active Directory Users [ Powershell & Free Tools ]

Find Password Expiration Date for Active Directory Users

Marc Wilson

The Password Expiration Date is often one of the most common issues among Active Directory domain users.

Users have to deal with so many passwords at the same time that they often forget to reset them before they expire.

So, what happens when a password expires in Active Directory?

The account will not be locked, but the user will have to change the password before they can access domain resources.

To deal with these inconveniences, the users or, in most cases, the AD domain administrator can get the user account expiration date and other important details.

In this article, we’ll go through two different methods on how to get the password expiration date of a single Active Directory user account or to get an entire list of all users at once.

 

Checking Password Expiration Date with the Net User command

A really easy way to tell when an AD user account password expires is to use the Net User command.

This command is part of the “net commands” that allows you to add, remove, or modify the user account on a computer.

To run “net user,” you need to open the command line interface “cmd” for Windows.

  • Open the search bar and type “cmd” or press the “Windows logo + R” keys to open the Run utility, and type “cmd.”
  • On a command prompt, use the “net user” with the following additional parameters:
    net user [username] [/DOMAIN] , where:

    • [username]: Determines the name of the user account.
    • /DOMAIN: Shows information on the user name account running on the particular domain controller.
  • To learn more about the syntax of the command, you can use the “net user /?” command.

net user command

  • The following screenshot shows an example.
    With the command “net user test01 /domain,” we can see the password information for the user test01 for local domain TEST.local.

net user test01:domain

  • Aside from only seeing the password expiration date, you can also see other handy information, such as when the last password was set, when the password can be changed, whether users can change the passwords and more.

List of all AD Users Passwords Expiration Dates with Powershell

The “net user” command can only be helpful for a single user.

But to get the account and password details for all AD user accounts, you need to run a line of PowerShell code.

There is an Active Directory constructed attribute named “msDS-UserPasswordExpiryTimeComputed,” which can help you get the AD accounts and their password expiration time.

To start, make sure that you have the PowerShell ActiveDirectory module installed and running.

This module allows you to display valuable information stored in AD objects, which includes password settings, expiration date, last time changed, etc.

1. Download, Install and Load the RSAT (Remote Server Administration Tools).

If it is not already installed, you can follow Microsoft’s Tech guide.

2. Make sure that the PowerShell feature is already running.
Press the “Windows logo + R” keys to open the Run utility, and type “Windows PowerShell”.

3. Using the attribute, “msDS-UserPasswordExpiryTimeComputed,” you can easily get the password expiration date for a single user, with:

Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed'

4. But this line of code will result in a human unreadable output, so you would need to add the following line to convert the results into a readable format. 

{[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}

list user password expiration powershell

5. Running the same attribute “msDS-UserPasswordExpiryTimeComputed,” with the right filter, you can get a list of Active Directory accounts and their password expiration times.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Source code from TechNet Microsoft.

expiry date ad user

Free Tools & Utilities

After you found the user password expiration dates, there are a couple of free tools that can help you manage all Active Directory user accounts and computers.

Manage Users and Keep the AD domain clean

The free Solarwinds Active Directory Admin Tools Bundle comes with three tools that help you manage AD accounts and computers.

With this bundle, you can find and remove inactive user accounts and computers, and import users in bulk.

SolarWinds Active Directory Admin Tools Bundle

The bundle consists of the following tools:

  • Inactive User Account Removal:
    Find accounts that have never been logged in, used, or have been inactive for a long time. You can export the list and remove all inactive AD accounts.
  • Inactive Computer Removal:
    Find inactive computers, export the list, and remove them.
  • Import Users in Bulk.
    Create AD user accounts in bulk from a CSV or XLS file. You can also create AD accounts and Exchange Mailbox in bulk and simultaneously.

Download:

This Tool is 100% FREE for LIFE from their website – We Suggest you download it today Here Solarwinds Active Directory Admin Tools Bundle and keep your AD domain clean.

 

Automating AD User Password Expiration Notification

Another recommended tool is Lepide Auditor.

Lepide Auditor

This tool comes with a handy feature that automatically reminds Active Directory users when their password is about to expire.

Lepide Auditor helps to automate password accounts management by getting the information directly from AD. It creates a report and notifying users via Email when their AD password expires.

Download:

Lepide Auditor offers a fully functional free trial for 15 days.

 

Final Words

There are two simple methods to get Active Directory users password expiration date, the Net User command, and a PowerShell attribute.

The Net User command method is used to get the password expiration date for a single user.

For this method, you would also need to access the AD user account or have a user run it from their machine.

The PowerShell command is more powerful and easier to run, as long as you have the PowerShell AD module installed, you can copy/paste the one-line code and get a full list of all the users with their expiration date.

There are also some tools like the free Solarwinds Active Directory Admin Tools Bundle, which helps you keep your AD clean and automate user accounts creation.

The other useful tool is the commercial software Lepide Auditor, which can help you automate AD password expiration notifications.