News We Recently Launched AD Migrator and AD Reporter.

Check When Password Expires in Active Directory & Get All Dates

  author
Written By Mohit Jha
Anuraag Singh
Approved By Anuraag Singh  
Published On September 16th, 2024
Reading Time 9 Minutes Reading

Admins who don’t know how to check when password expires in Active Directory may need our help. A lack of transparency in AD password management may result in users being locked out of their accounts. So it’s better to have a list that admins can refer to and send reminders to users whose access is about to end.

Table of Contents

Here in this write-up, we provide you not one or two but three separate methods for the same. But before we see what the methods are, let’s check the reasons for finding the password expiration date.

Why Admins Look For Password Expiration Date in AD

Like the reasons to check the last password change in AD a password expiry inquiry is also done with security in mind. Organizations that make their users change login credentials have a stronger security framework. Moreover, if passwords ever get leaked, triggering an expiry request can prevent backdoor access.

Compliance requirements are not new for admins who look after an AD. To make sure their organization is following what’s required admins may set up a password expiry policy. If a change in personnel occurs the new admin must quickly check what the date set by the previous admin was.

Knowing which users are locked out and not manually disabled is key to exporting disabled users from Active Directory as well.

All of this can only be done if administrators have access to a list.  So let us start by looking at the most requested PowerShell methods for identifying password expiration dates.

Now, let’s dive into the hidden command line method for identifying password expiration date

Easiest Way to Get Active Directory Password Expiration Date

Open a command line(cmd) instance and type:

net user %username% /domain | findstr /C:"Password expires"

active directory password expiration date command line

Breakdown of the command

Here “%username%” is a placeholder for the currently logged-in account.

The “/domain” part is to move the scope on the AD instead of the local machine.

The “findstr” and corresponding filter limit the output to and only display the “Password expires” data.

One out of two outputs may occur: either you get a date or a text that says “Never”.

This sort of result may be enough for a quick glance. However, for reporting purposes, admins need something more sophisticated.

Although admins and other privileged users can replace the placeholder with any other username and check their password expiry date as well this is time-consuming and defeats the purpose of the task. So that’s why admins move towards PowerShell which has more tools to display the results in bulk.

Get the Default AD Password Expiry Date with A PowerShell cmdlet

Experienced AD admins might already know this, but for those who are new to Active Directory user management, this serves as a starting point.

By default, every AD sets the password expiry date to 42 days after the last change.

Therefore, if the “password never expires” checkbox is not marked during user creation and no custom updates are made to the Password Policy then you may use the following cmdlet. It will add 42 days to the last password update and display when it expires.

Get-ADUser -Filter * -Properties DisplayName, pwdLastSet | Select-Object DisplayName, @{Name="pwdLastSet";Expression={[datetime]::FromFileTime($_.pwdLastSet)}}, @{Name="PasswordExpires";Expression={[datetime]::FromFileTime($_.pwdLastSet).AddDays(42)}} | Format-Table -AutoSize
  • Default PowerShell

However, there are a few problems with this approach.
First, it does not check for the “Password Never Expires” so some users get a date from the 15th Century. The AD by Default stores the Password Never Expired date as 12/31/1600.

Same problem exists for new users whose password is set by the admin and is scheduled for a change whenever the next user login occurs.

In this scenario, the AD fetches a password expiry date that has already passed. However, users will still be able to login with their default credentials. Although at that very moment the existing password expires and the user has to set a new one.

As the user can log in anytime to reset the password predicting a date is not possible. To bypass this we use an attribute called “msDS-MaximumPasswordAge”

How to Check When Password Expires in Active Directory Via Advanced PowerShell Scripts

Use the following scripts on a Windows PowerShell module to get a list of all users having an expiration date.

Note: This first cmdlet only shows the date of all users whose password is about to expire:

Get-ADUser -Filter {Enabled -eq $true -and PasswordNeverExpires -eq $false} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |

Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

We also have a “.ps1” script for you to highlight the users whose passwords may expire. It also tells you the users whose password will remain as it is.

Script to classify users based on their password expiry.

Get-ADUser -Filter * -Properties msDS-UserPasswordExpiryTimeComputed | Select-Object Name, @{Name="PasswordExpiry";Expression={[System.DateTime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed").ToString("yyyy-MM-dd HH:mm:ss")}}

Password Expiry Date Via PowerShell

Those who are not comfortable with PowerShell can use the command line queries as directed.

Fetch Active Directory Password Expiration Date with Command Line

See the entire user password expiry list

dsquery user -limit 0 | dsget user -display -samid -acctexpires -disabled

entire user password expiry list

Even these cmd-level codes are too tricky, not to mention risky. So to avoid the scripts entirely, you may choose the Active Directory Users and Computers snap-in.

Use ADUC and See If User Passwords Expires or Not

  • Search for Active Directory Users and Computers and open it.
    Search for ADUC
  • Click on the View option from the Dropdown mark Advanced Features.
    Advanced Features
  • Double-click on the Users container.
    Users container
  • Right-click on the user whose password data you want to view and hit Properties.
    Properties
  • In the properties window, go to Attribute Editor.
    Attribute Editor
  • Type “user”, it should highlight the userAccountControl attribute.
    user Account flag

However, the problem is that you can only view a flag and the text value associated with it. The flag you need to watch out for is 10000 [DONT_EXPIRE_PASSWD].

If you double-click, it opens a popup from where you can copy the data. However, keep in mind that you get an integer value and not the actual date. Moreover, the value you get is of no practical use.

If you see no such flag, then it means the user password may expire sometime in the future date to view the data we have to use the Admin Center.

Use the ADAC and See How many Days an AD User Password Stays Valid For

  • Open Active Directory Admin Center via the Server Manager or Windows search bar.
    Go to the Users Tab
  • Select a User
  • Click on the View Resultant Password Settings option from the rightmost pane.
  • A new box opens there look for the Enforce Maximum Password age option.
    View Password Reset

There lies the Active Directory Password expiration date that you are looking for. Note that the reason for not being able to view the password expiry date may be because of the following:

  • No password setting policy exists in the Active directory.
  • If set, the Password Setting policy is not applied to this user.
    User Password Policy Not Set

Professional Way to Check Password Expiry Date in Active Directory

For that use the SysTools AD Reporting Software. This tool trims down the manual effort required by admins. It does so by replacing the problematic scripts and commands with an entirely GUI-based setup. With little to no training, any admin will be able to pull their AD’s user password expiry data and present it in a readable format.

Download Now Purchase Now

The tool has its own Preview window and multidomain addition feature. So admins who are responsible for more than one domain can just add the AD domains and start listing out all the information that’s required.

With the help of a dashboard date filter, you can slice the decades-long data into more manageable chunks.

You might be wondering how this tool packs so much in a single package. For that follow the steps below and find out how its intuitive interface works.

Automated Steps to See User Password Expiry Parameter in AD

  • Open the tool on your machine and log in with the (administrator) credentials appear on the screen.
    Type administrator
  • Push the “Register Domain Controller”  button with your cursor to add your domain IP.
    Register Domain Controller button
  • Put the custom “Domain Friendly Name” and the correct “IP address” in the spaces provided inside the pop-up window. Then Tap the Save & Continue Button.
    Register Domain Controller screen
  • On the Domain Details page fill in your admin credentials, and Validate them with the help of the Save and Continue button.
    permission validation
  • Toggle the Report Tab and select the Password Never Expired category inside Users.
  • Click on the Duration option to set a premade date range or use the Custom option to make your timeline.
    view date selection
  • Click on the Preview button to check password expiration in Active Directory.
    Preview
  • To get Active Directory Password Expiration Date in CSV format press the Download button and Choose CSV from the dropdown.
    Download button

Conclusion

In this tutorial, readers learned how to check when password expires in Active Directory via PowerShell and other means. As the PowerShell Scripts and its sister command line methods are complicated, we gave the use case for ADUC. However, that too has its problems. Therefore, as a sure shot measure, admins can use the utility pitched earlier. With it, any reporting task, like the one to find user password expiry can be done without much effort.

Frequently Asked Questions After Viewing AD User Password Expiry Date

Q. How can I Set Up a New Password Policy Via the Admin Center?

  • Expand the arrow next to the domain name.
  • Click on System.
  • Choose Password Settings Container.
  • Click on New > Password Settings.
    Set User Password Policy
  • Fill in all the required details then go to the Directly Applies tab and put all the users you want.

Q. Is there a way to see the password expiry date via Event Viewer?
A. No, the Event Viewer does not generate any Event ID for password expiry. Moreover, trying to guess a date based on a failed logon event is difficult and error-prone.

Q. From where an admin can deploy a domain-wide password expiry policy?
A. It can be done via the group policy edit portal. Follow these steps.

  • Press Windows + R and type “gpme.msc” in the run module.
  • In the Browse for a Group Policy Object window choose a Group Policy.
  • Inside the Group Policy Management Editor Screen follow this path
  • Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Password Policy
  • The Password Policy Attributes appear on the Right Pane. Select the Maximum password age option and check the details present in the window.
    GPME Steps
  author

By Mohit Jha

Mohit is a Microsoft Certified expert known for his cloud migration, cyber security, and digital forensics expertise. He specializes in Microsoft 365, Exchange Server, and Azure AD migration, ensuring seamless transitions for organizations worldwide. His multifaceted role as a meticulous tech writer, diligent researcher, and astute editor underscores his commitment to delivering cutting-edge digital forensics and cloud migration strategies.