HowTo Check when Password Expires in AD with Powershell and CMD

While working on a windows environment, Password Expiration is one of the most common issues that domain users face when logging in due to password group policies.

By default, the Windows domain user account is configured to expire passwords after a specific amount of time-based on the group policy and every user will be notified 2 to 3 weeks prior to the password expiring.

If you miss this notification and don’t change your password, your account will be Locked Out.

As a System Administrator, you will need to keep track of all user accounts and their expiration dates and you will most likely need to update passwords at regular intervals for security reasons.

To prevent users from getting locked out, you should prepare a list of all user accounts along with when the password was last set and when the password will expire next.

Lucky for you, there is an easy way to find all of this information using PowerShell.

In this tutorial, we’ll show you how to check password expiration dates in Active directory with PowerShell.

Check User Password Expiration Date with Net User Command

You can display detailed information of a specific users’ Password Expiration using the following syntax:

net user USERNAME /domain

For example, to display the password expiration information of the user “hitesh” run the following command in the PowerShell:

net user hitesh /domain

Example:

net user /domain

The above command will display user account information such as when the password was last set, when the password expires, and so on.

If you want to filter the output from the above command and display only password expiration dates, then you can use the find command in conjunction with the net user command as shown below:

net user hitesh /domain | find "Password expires"

Example:

Net user /domain | find "Password expires"

Check All User Password Expiration Date with PowerShell

You can also display all user password expiration dates using PowerShell.

For example, to find the Password Expiration Date of all users in your Domain, you can run the following command:

get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

Example:

get-aduser

If you want to display the expiration date rather than the password last set date, run the following command:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Example:

Get-ADUser -filter

Check All User Password Expiration Date with PowerShell Script

If you want to check password expiration dates in Active Directory and display password expiration dates with the number of days until the password expires, you can achieve this by creating a PowerShell script.

You can create the PowerShell script by following the below steps:

1. Open your notepad and add the following codes:

Import-Module ActiveDirectory
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
#Filters for all users who's password is within $date of expiration.
$ExpiredUsers = Get-ADUser -Filter {(PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet
$ExpiredUsers

2. Click on the Save as option to save the file.

3. Type a name for the script as user_list.ps1.

4. Click on the Save button to save the file.

Right click on the PowerShell script and click on the Edit button as shown below:

run powershell script

powershell script ISE

Now, click on the Green arrow button to run the script.

You should see the following screen if it ran successfully:

Conclusion

Congratulations!

You are now able to get an Active Directory user account password expiration date using several methods including using the command line and using Powershell!