We may earn a commission if you make a purchase through the links on our website.
Find Password Expiration Date for Active Directory Users [ PowerShell & Free Tools ]
UPDATED: September 20, 2023
The Password Expiration Date is often one of the most common issues among Active Directory domain users.
Users have to deal with so many passwords at the same time that they often forget to reset them before they expire.
So, what happens when a password expires in Active Directory?
The account will not be locked, but the user will have to change the password before they can access domain resources.
To deal with these inconveniences, the users or, in most cases, the AD domain administrator can get the user account expiration date and other important details.
Let's go through two distinct methods: getting the password expiration date of a single Active Directory user account and then also take a look at how to get an entire list of all users at once.
Here is our list of the best tools to manage Active Directory user accounts:
- SolarWinds Admin Bundle for AD – EDITOR’S CHOICE This package of three tools provides easy ways to check on accounts and clear out dead accounts or bulk upload new entries. This package is completely free to use and installs on Windows Server. Access 30-day free trial.
- ManageEngine ADSelfService Plus – FREE TRIAL Saves Help Desk technician time by letting users reset their own passwords and provides a channel to communicate notifications and password policy. Runs on Windows Server. Start a 30-day free trial.
- ManageEngine ADManager Plus – FREE TRIAL Offers unified Active Directory, Exchange and Office 365 password management, reporting, mailbox automation for IT technicians and administrators. Start a 30-day free trial.
- Lepide Auditor This tool automates account administration in AD and sends users reminders to change their account passwords. This is a cloud-based system.
Checking Password Expiration Date with the Net User command
A really easy way to tell when an AD user account password expires is to use the Net User command.
This command is part of the “net commands” that allows you to add, remove, or modify the user account on a computer.
To run “net user,” you need to open the command line interface “cmd” for Windows:
- Open the search bar and type “cmd” or press the “Windows logo + R” keys to open the Run utility, and type “cmd.”
On a command prompt, use the “net user” with the following additional parameters:
net user [username] [/DOMAIN] , where:
- [username]: Determines the name of the user account.
- /DOMAIN: Shows information on the user name account running on the particular domain controller.
- To learn more about the syntax of the command, you can use the “net user /?” command.
- The following screenshot shows an example.
With the command “net user test01 /domain,” we can see the password information for the user test01 for local domain TEST.local.
- Aside from only seeing the password expiration date, you can also see other handy information, such as when the last password was set, when the password can be changed, whether users can change the passwords and more.
List of all AD Users Passwords Expiration Dates with PowerShell
The “net user” command can only be helpful for a single user.
But to get the account and password details for all AD user accounts, you need to run a line of PowerShell code.
There is an Active Directory constructed attribute named “msDS-UserPasswordExpiryTimeComputed,” which can help you get the AD accounts and their password expiration time.
To start, make sure that you have the PowerShell ActiveDirectory module installed and running.
This module allows you to display valuable information stored in AD objects, which includes password settings, expiration date, last time changed, etc.
- Download, Install and Load the RSAT (Remote Server Administration Tools). If it is not already installed, you can follow Microsoft’s Tech guide.
- Make sure that the PowerShell feature is already running.
Press the “Windows logo + R” keys to open the Run utility, and type “Windows PowerShell”. - Using the attribute, “msDS-UserPasswordExpiryTimeComputed,” you can easily get the password expiration date for a single user, with:
Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed'
- But this line of code will result in a human unreadable output, so you would need to add the following line to convert the results into a readable format.
{[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)} - Running the same attribute “msDS-UserPasswordExpiryTimeComputed,” with the right filter, you can get a list of Active Directory accounts and their password expiration times.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Source code from TechNet Microsoft.
Free Tools & Utilities
See also: Best Active Directory Monitoring Tools
Further reading: Windows PowerShell Commands Cheat Sheet
After you found the user password expiration dates, there are a couple of free tools that can help you manage all Active Directory user accounts and computers.
Our methodology for selecting a password expiration date management tool for AD
We reviewed the market for Active Directory management systems that can identify the expiration dates for accounts and analyzed options based on the following criteria:
- A fast scan of AD user accounts
- The option to search for a specific account
- An option to identify abandoned accounts
- Systems that notify users of expiring passwords
- A method to communicate password policies to users
- A free tool or a free trial that enables the service to be used for free for a time
- A system that will improve efficiency and save money
With these selection criteria in mind, we identified some key Active Directory utilities, which can be used in combination to create a tight user account password management system that avoids inactive accounts from accumulating.
Manage Users and Keep the AD domain clean
SolarWinds Admin Bundle for AD – 100% Free Download
The free SolarWinds Admin Bundle for Active Directory comes with three tools that help you manage AD accounts and computers.
Key features:
- A suite of tools designed for sysadmins
- Can highlight old accounts for removal
- Aids in auditing user account access
Feature Distinction
What makes SolarWinds Admin Bundle for AD stand out from its alternatives is its free suite of AD management tools designed to enhance AD environments.
Why do we recommend it?
We recommend SolarWinds Admin Bundle for its ability to manage AD accounts efficiently. If you are looking to maintain a clean and organized AD environment, this tool gives you valuable features to check on accounts, clear out dead accounts, and bulk upload new entries.
With this bundle, you can find and remove inactive user accounts and computers, and import users in bulk.
The bundle consists of the following tools:
- Inactive User Account Removal Find accounts that have never been logged in, used, or have been inactive for a long time. You can export the list and remove all inactive AD accounts.
- Inactive Computer Removal Find inactive computers, export the list, and remove them.
- Import Users in Bulk Create AD user accounts in bulk from a CSV or XLS file. You can also create AD accounts and Exchange Mailbox in bulk and simultaneously.
Who is it recommended for?
SolarWinds Admin Bundle for AD is suitable for sysadmins managing a small-to-medium number of AD accounts and computers.
Pros:
- A small suite of tools that add additional features to the default access control in AD
- Helps speed up routine access management tasks when on/offboarding users
- Is completely free – great for smaller environments
Cons:
- Larger networks may require more features
Download: This Tool is 100% FREE for LIFE from their website – We Suggest you download it today Here SolarWinds Admin Bundle for Active Directory and keep your AD domain clean.
EDITOR'S CHOICE
SolarWinds Admin Bundle for AD is our top pick for an AD account management tool because it is completely free to use but it has all the qualities of a system that is worth paying for. This system saves you a lot of time with your AD administration tasks because it can locate dead accounts both those for users and permissions entries for devices. There is also a handy account bulk upload tool in the package, which is one of the few AD uploaders that actually works the first time.
Download: Free Tool
Official Site: https://www.solarwinds.com/free-tools/active-directory-admin-tools-bundle
OS: Windows Server
ManageEngine ADSelfService Plus – FREE TRIAL
ManageEngine ADSelfService Plus offers users the opportunity to reset their own passwords.
Key features:
- Self-password reset portal for users
- Easy to deploy and scale
- Various password reset reminder options
Feature Distinction
What sets ADSelfService Plus apart from other AD management tools is its focus on self-service and multiple password policy enforcement options.
Why do we recommend it?
This tool is recommended as one of the best tools to manage Active Directory user accounts due to its emphasis on IT admin supervision. In addition, it has all the necessary features to manage passwords, including its self-service password reset portal, multi-factor authentication, and password reset reminders.
ManageEngine ADSelfService Plus creates an app portal for each user, based on information in AD. this access system can be delivered in Web format and as a mobile app.
Once the user signs in to the portal, access is granted to all authorized apps without needing to sign in again. The portal provides the opportunity to impose 2FA and it also delivers information on password policies and reasons for lockouts.
These features save a lot of time for support technicians by removing many Help Desk calls and automating credentials-related tasks.
Who is it recommended for?
ManageEngine ADSelfService Plus is recommended for businesses of all sizes, especially those with Help Desk, IT administrators, and technicians. The tool is a great option for those help desk teams looking to improve their password management.
Pros:
- Empowers users to change their own passwords – eliminating extra tickets
- Offers a variety of password policy enforcement options
- Supports multi-factor authentication
- Syncs passwords in real-time across the cloud and on-premises AD
Cons:
- Best suited for small to medium-sized helpdesk teams
You can assess this system for Windows Server with a 30-day free trial.
Download: https://www.manageengine.com/products/self-service-password/download.html
Automating AD User Password Expiration Notification
ManageEngine ADManager Plus – FREE TRIAL
ManageEngine ADManager Plus provides a system of AD management automation through a series of templates and these include password reset and expiration management.
Key features:
- Supports both AD and Office 365
- Includes detailed password policy reports for auditing
- Offers various user account automation features
Why do we recommend it?
ManageEngine ADSelfService Plus is recommended as one of the best tools to manage Active Directory user accounts because of its exceptional customer service and technical support. In addition, this solution provides fantastic automation capabilities in AD management, including password reset and expiration management.
The ADManager Plus system provides a better interface for Active Directory management than the native AD administration screens. This system lets you synchronize the coordination of DCs for different products, such as network resources and cloud services, including Microsoft 365.
The tool lets you search through attributes of user accounts, such as password statuses and those searches can be automated and run by the software continuously. This creates an alert condition that will let you know when a password expires. You can also use automation to write records to compliance logs.
Pros:
- Unifies the management of several AD DCs
- Provides task automation and alerts
- Includes activity logging for compliance reporting
Cons:
- Not available as a SaaS package
Who is it recommended for?
This tool is recommended for businesses of varying sizes and industries, including retail, healthcare, government, and IT services. Specifically, ADSelfService Plus is well-suited for organizations looking for an efficient solution for AD management.
Download: Get a 30-day free trial of ADManager Plus.
Lepide Auditor
Another recommended tool is Lepide Auditor. This tool comes with a handy feature that automatically reminds Active Directory users when their password is about to expire.
Key features:
- Automated account creation, removal, and modification
- Scales well as a cloud product
- Password reminder messaging management
Why do we recommend it?
Lepide Auditor is recommended for its user-friendly interface, ease of installation, and effectiveness in auditing IT administration. Its ability to efficiently capture and manage audit data makes it a valuable choice if your business is seeking robust AD management.
Lepide Auditor helps to automate password accounts management by getting the information directly from AD. It creates a report and notifying users via Email when their AD password expires.
Who is it recommended for?
Lepide Auditor is recommended for IT professionals and departments within mid-sized to large organizations. It is particularly useful in industries like IT services, manufacturing, and telecommunications, to help them stay on top of security measures and compliance.
Pros:
- A simple way to see last login, name and CN path of multiple accounts at once
- Can quickly create CSVs or HTML format reports
- A simple wizard makes it easy to set custom threshold-based alerts
Cons:
- Similar tools allow for more functionality like bulk password changes and unlocks
Download: Lepide Auditor offers a fully functional free trial for 15 days.
Conclusion
There are two simple methods to get Active Directory users password expiration date, the Net User command, and a PowerShell attribute:
- The Net User command method is used to get the password expiration date for a single user. For this method, you would also need to access the AD user account or have a user run it from their machine.
- The PowerShell command is more powerful and easier to run, as long as you have the PowerShell AD module installed, you can copy/paste the one-line code and get a full list of all the users with their expiration date.
There are also some tools like the free SolarWinds Admin Bundle for Active Directory which helps you keep your AD clean and automate user accounts creation.
The other useful tool is the commercial software Lepide Auditor, which can help you automate AD password expiration notifications.
Password Expiration FAQs
Can Active Directory send email when password expires?
Active Directory can be set up to notify users when their passwords are about to expire. However, this will appear as a system notification and only when the user logs in to the corporate network. It is possible to use a PowerShell script to detect upcoming expiration and generate an email to each user. However, there is no automated process for this action within Active Directory.
How do I generate password expiration for a user in Active Directory PowerShell?
Get a list of AD user accounts and their expiration dates with the following PowerShell script:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}