The Password Expiration Date is often one of the most common issues among Active Directory domain users.

Users have to deal with so many passwords at the same time that they often forget to reset them before they expire.

So, what happens when a password expires in Active Directory?

The account will not be locked, but the user will have to change the password before they can access domain resources.

To deal with these inconveniences, the users or, in most cases, the AD domain administrator can get the user account expiration date and other important details.

Let's go through two distinct methods: getting the password expiration date of a single Active Directory user account and then also take a look at how to get an entire list of all users at once.

Here is our list of the best tools to manage Active Directory user accounts:

  1. SolarWinds Admin Bundle for AD – EDITOR'S CHOICE This package of three tools provides easy ways to check on accounts and clear out dead accounts or bulk upload new entries. This package is completely free to use and installs on Windows Server. Access 30-day free trial.
  2. ManageEngine ADSelfService Plus – FREE TRIAL Saves Help Desk technician time by letting users reset their own passwords and provides a channel to communicate notifications and password policy. Runs on Windows Server. Start a 30-day free trial.
  3. Lepide Auditor This tool automates account administration in AD and sends users reminders to change their account passwords. This is a cloud-based system.

Checking Password Expiration Date with the Net User command

A really easy way to tell when an AD user account password expires is to use the Net User command.

This command is part of the "net commands" that allows you to add, remove, or modify the user account on a computer.

To run "net user," you need to open the command line interface "cmd" for Windows:

  • Open the search bar and type "cmd" or press the "Windows logo + R" keys to open the Run utility, and type "cmd."

On a command prompt, use the "net user" with the following additional parameters:
net user [username] [/DOMAIN] , where:

  • [username]: Determines the name of the user account.
  • /DOMAIN: Shows information on the user name account running on the particular domain controller.
  • To learn more about the syntax of the command, you can use the "net user /?" command.

net user command

  • The following screenshot shows an example.
    With the command "net user test01 /domain," we can see the password information for the user test01 for local domain TEST.local.

net user test01:domain

  • Aside from only seeing the password expiration date, you can also see other handy information, such as when the last password was set, when the password can be changed, whether users can change the passwords and more.

List of all AD Users Passwords Expiration Dates with PowerShell

The "net user" command can only be helpful for a single user.

But to get the account and password details for all AD user accounts, you need to run a line of PowerShell code.

There is an Active Directory constructed attribute named "msDS-UserPasswordExpiryTimeComputed," which can help you get the AD accounts and their password expiration time.

To start, make sure that you have the PowerShell ActiveDirectory module installed and running.

This module allows you to display valuable information stored in AD objects, which includes password settings, expiration date, last time changed, etc.

  1. Download, Install and Load the RSAT (Remote Server Administration Tools). If it is not already installed, you can follow Microsoft's Tech guide.
  2. Make sure that the PowerShell feature is already running.
    Press the "Windows logo + R" keys to open the Run utility, and type "Windows PowerShell".
  3. Using the attribute, "msDS-UserPasswordExpiryTimeComputed," you can easily get the password expiration date for a single user, with:
    Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed'
  4. But this line of code will result in a human unreadable output, so you would need to add the following line to convert the results into a readable format.
    {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}list user password expiration powershell
  5. Running the same attribute "msDS-UserPasswordExpiryTimeComputed," with the right filter, you can get a list of Active Directory accounts and their password expiration times.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Source code from TechNet Microsoft.expiry date ad user

Free Tools & Utilities

See also: Best Active Directory Monitoring Tools

Further reading: Windows PowerShell Commands Cheat Sheet

After you found the user password expiration dates, there are a couple of free tools that can help you manage all Active Directory user accounts and computers.

Manage Users and Keep the AD domain clean

SolarWinds Admin Bundle for AD – 100% Free Download

The free SolarWinds Admin Bundle for Active Directory comes with three tools that help you manage AD accounts and computers.

With this bundle, you can find and remove inactive user accounts and computers, and import users in bulk.

SolarWinds Admin Bundle for Active Directory

The bundle consists of the following tools:

  • Inactive User Account Removal Find accounts that have never been logged in, used, or have been inactive for a long time. You can export the list and remove all inactive AD accounts.
  • Inactive Computer Removal Find inactive computers, export the list, and remove them.
  • Import Users in Bulk Create AD user accounts in bulk from a CSV or XLS file. You can also create AD accounts and Exchange Mailbox in bulk and simultaneously.

Download: This Tool is 100% FREE for LIFE from their website – We Suggest you download it today Here SolarWinds Admin Bundle for Active Directory and keep your AD domain clean.

EDITOR'S CHOICE

SolarWinds Admin Bundle for AD is our top pick for an AD account management tool because it is completely free to use but it has all the qualities of a system that is worth paying for. This system saves you a lot of time with your AD administration tasks because it can locate dead accounts both those for users and permissions entries for devices. There is also a handy account bulk upload tool in the package, which is one of the few AD uploaders that actually works the first time.

OS: Windows Server

ManageEngine ADSelfService Plus – FREE TRIAL

ManageEngine ADSelfService Plus offers users the opportunity to reset their own passwords.

ManageEngine ADSelfService Plus

ManageEngine ADSelfService Plus creates an app portal for each user, based on information in AD. this access system can be delivered in Web format and as a mobile app.

Once the user signs in to the portal, access is granted to all authorized apps without needing to sign in again. The portal provides the opportunity to impose 2FA and it also delivers information on password policies and reasons for lockouts.

These features save a lot of time for support technicians by removing many Help Desk calls and automating credentials-related tasks.

You can assess this system for Windows Server with a 30-day free trial.

Download: https://www.manageengine.com/products/self-service-password/download.html

Automating AD User Password Expiration Notification

Lepide Auditor

Another recommended tool is Lepide Auditor.

Lepide Auditor

This tool comes with a handy feature that automatically reminds Active Directory users when their password is about to expire.

Lepide Auditor helps to automate password accounts management by getting the information directly from AD. It creates a report and notifying users via Email when their AD password expires.

Download: Lepide Auditor offers a fully functional free trial for 15 days.

Conclusion

There are two simple methods to get Active Directory users password expiration date, the Net User command, and a PowerShell attribute:

  1. The Net User command method is used to get the password expiration date for a single user. For this method, you would also need to access the AD user account or have a user run it from their machine.
  2. The PowerShell command is more powerful and easier to run, as long as you have the PowerShell AD module installed, you can copy/paste the one-line code and get a full list of all the users with their expiration date.

There are also some tools like the free SolarWinds Admin Bundle for Active Directory which helps you keep your AD clean and automate user accounts creation.

The other useful tool is the commercial software Lepide Auditor, which can help you automate AD password expiration notifications.

Password Expiration FAQs

Can Active Directory send email when password expires?

Active Directory can be set up to notify users when their passwords are about to expire. However, this will appear as a system notification and only when the user logs in to the corporate network. It is possible to use a PowerShell script to detect upcoming expiration and generate an email to each user. However, there is no automated process for this action within Active Directory.

How do I generate password expiration for a user in Active Directory PowerShell?

Get a list of AD user accounts and their expiration dates with the following PowerShell script:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Can you see a user's password in Active Directory?

No, an administrator cannot see a user's password. However, it is possible to rest that user's password. That mechanism would allow a rogue administrator to take control of an account.