How to get AD Users Password Expiration Date
Administrators working on a Windows environment are tasked with the important job of ensuring that user accounts with soon to be expiring passwords and password expired accounts are reported and taken care of in an orderly fashion. A user account by default is configured to expire passwords after a specific time based on the the group policy that they are a part of. System administrators have to keep track of all such user accounts with their respective password expiration dates to remind users to update their password ahead of time and at regular intervals for security purposes.
Failing to do so can result in users getting locked out of their accounts leading to increased helpdesk calls and a dip in productivity. Preparing a list of all user accounts along with when the passwords will expire next is pivotal for preventing password mishaps. However, a few lines of PowerShell code can help you get the account and password details for all AD user accounts.
Powershell script to get AD user account expiration date
To start, make sure that you have the PowerShell ActiveDirectory module installed and running. This module allows you to display valuable information stored in AD objects, which includes password settings, expiration date, last time changed, etc.
1. Download, Install and Load the RSAT (Remote Server Administration Tools).
2. Make sure that the PowerShell feature is already running. Press the “Windows logo + R” keys to open the Run utility, and type “Windows PowerShell”.
3. Copy the following cmdlet into PowerShell and hit the enter key
- Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property Displayname,@{Name=ExpiryDate;Expression={[datetime]::FromFileTime($_.msDS-UserPasswordExpiryTimeComputed)}} | Sort-Object DISPLAYNAME | export-csv DRIVE:\FILENAME.CSV
- *NOTE 1: Replace DISPLAYNAME with EXPIRYDATE if you'd rather sort your list by date of password expiration
- **NOTE 2: Replace DRIVE:\FILENAME.CSV with the file path of your exported CSV. Below I used h:\passwords_list.csv:
- EXAMPLE:
- Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property Displayname,@{Name=ExpiryDate;Expression={[datetime]::FromFileTime($_.msDS-UserPasswordExpiryTimeComputed)}} | Sort-Object displayname | export-csv h:\passwords_list.csv
Return to a prompt (H:\ in the example) and proceed to the next step.
4. Check for the CSV file in the path mentioned in the cmdlet. The CSV file will contain a list of all domain user accounts and when their respective passwords will expire. Filter soon to expire accounts from the CSV file and have the end users update their passwords immediately.