PowerShell: How to Find Password Expiration Date for AD Users

PowerShell: How to Find Password Expiration Date for AD Users

How to get AD Users Password Expiration Date

Administrators working on a Windows environment are tasked with the important job of ensuring that user accounts with soon to be expiring passwords and password expired accounts are reported and taken care of in an orderly fashion. A user account by default is configured to expire passwords after a specific time based on the the group policy that they are a part of.  System administrators have to keep track of all such user accounts with their respective password expiration dates to remind users to update their password ahead of time and at regular intervals for security purposes. 
Failing to do so can result in users getting locked out of their accounts leading to increased helpdesk calls and a dip in productivity. Preparing a list of all user accounts along with when the passwords will expire next is pivotal for preventing password mishaps. However, a few lines of PowerShell code can help you get the account and password details for all AD user accounts.

Powershell script to get AD user account expiration date

To start, make sure that you have the PowerShell ActiveDirectory module installed and running. This module allows you to display valuable information stored in AD objects, which includes password settings, expiration date, last time changed, etc.

1. Download, Install and Load the RSAT (Remote Server Administration Tools).
2. Make sure that the PowerShell feature is already running. Press the “Windows logo + R” keys to open the Run utility, and type “Windows PowerShell”.
3. Copy the following cmdlet into PowerShell and hit the enter key
  1. Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property Displayname,@{Name=ExpiryDate;Expression={[datetime]::FromFileTime($_.msDS-UserPasswordExpiryTimeComputed)}} | Sort-Object DISPLAYNAME | export-csv DRIVE:\FILENAME.CSV
  2. *NOTE 1: Replace DISPLAYNAME with EXPIRYDATE if you'd rather sort your list by date of password expiration
  3. **NOTE 2: Replace DRIVE:\FILENAME.CSV with the file path of your exported CSV. Below I used h:\passwords_list.csv:
  4. EXAMPLE:
  5. Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select-Object -Property Displayname,@{Name=ExpiryDate;Expression={[datetime]::FromFileTime($_.msDS-UserPasswordExpiryTimeComputed)}} | Sort-Object displayname | export-csv h:\passwords_list.csv
Return to a prompt (H:\ in the example) and proceed to the next step.

4. Check for the CSV file in the path mentioned in the cmdlet. The CSV file will contain a list of all domain user accounts and when their respective passwords will expire. Filter soon to expire accounts from the CSV file and have the end users update their passwords immediately. 

    Limited-period offers on our IAM solutions




      • Related Articles

      • Finding AD Users with No Logon Script Using PowerShell

        PowerShell Script to Find Users with No Logon Script Login scripts failing to configure is one of the most commonly seen errors when user accounts are provisioned in Active DirectoryThis is especially true when user accounts are provisioned in ...
      • PowerShell: Find and Delete Empty Groups in Active Directory

        Cleanup Empty AD Groups with PowerShell Administrators turn to groups to grant a set of users permissions and access rights to resources. However, once the work is done and the resources are no longer needed, the users are removed from the group, ...
      • Find nested Active Directory groups using PowerShell

        Get AD Nested Group Membership with PowerShell Active Directory supports the feature of nesting groups inside one another. For example, consider two groups: GroupHR and GroupFinance. GroupFinance can be a member of GroupHR. If I assign GroupHR write ...
      • How to Find Active Directory Accounts with Expiring Passwords

        In an organization with multiple employees, it becomes tedious for the administrators to track users who's passwords are about to expire. This is crucial because, if the users fails to reset their passwords, the phone at the helpdesk is bound to ...
      • Password Policy

        Password Policy ensures that a user password is strong and is changed in a periodic manner so that it becomes highly impossible for an attacker to crack the password. To edit Password Policy settings: Go to Start Menu → Administrative Tools → Group ...