If you are running an online business, passwords are essential for data privacy and security. Therefore, you should have a strong password policy for managing all passwords. It is also recommended to set a strict password expiration policy including, the minimum and maximum age, the minimum length of passwords, and complexity.
After setting up a password expiration policy, every user will have to change their passwords after a certain number of days. You can set the Minimum and Maximum age for every password that meets your organization’s needs.
It is always a good idea to keep track of all users and their expiration dates. So you can change each user's password at regular intervals to prevent users from getting locked out.
This post will show you how to find the password expiration date for active directory users.
Find the Password Expiration Date for a Single User
The Windows command prompt is the simple and easiest way to find the password expiration date for a single user. You can use the net user command to display the password expiration date of the specified user.
For example, if you want to see the password expiration date of the user Vinay, run the following command on the Windows command prompt:
net user vinay /domain
You should see all important information including, last password, expiration date, access, group membership, and more.
If you want to display only password expiration dates, then you can use the find command to filter the output:
net user vinay /domain | find "Password expires"
This will only display the password expiration date as shown below:
Find the Password Expiration Date for All User
The net user command is only helpful to get the password expiration date for a single user. If you want to display the password expiration date of all active directory users, then the net user command can not help. In this case, you can use Powershell to find the password expiration date of all active directory users.
Open the Powershell window and run the following command:
get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
You should see the password expiration date of all users on the following screen:
If you want to display the password expiration date with the password last set date, run the following command:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
You should see the following screen:
Find the Password Expiration Date for All Users with Powershell Script
This section will create a PowerShell script to display password expiration dates with the number of days until the password expires.
To create a PowerShell script, open the notepad and add the following code:
Import-Module ActiveDirectory
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
#Filters for all users who's password is within $date of expiration.
$ExpiredUsers = Get-ADUser -Filter {(PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet
$ExpiredUsers
Save the file as file.ps1 name.
Next, right-click on the file.ps1 file as shown below:
Next, click on the Edit button. This will open the file.ps1 file as shown below:
Next, click on the Green icon to run the script. If the script ran successfully, you should see the password expiration date of all users with the number of days until the password expires on the following screen:
Automated password management tools
Many systems administrators prefer time-saving automated password management tools instead of looking after passwords manually. These systems can help you formulate a password policy and then enforce it by interfacing with Active Directory for you.
ManageEngine ADSelfService Plus – FREE TRIAL
An example of such as system is ManageEngine ADSelfService Plus. As well as providing a guided password policy formation system, this tool will implement your password policy and also coordinate passwords across all of your business’s AD domain controllers. This makes creating a single sign-on environment very easy and you can strengthen security by implementing multi-factor authentication with this ManageEngine service.
Pros:
- Empowers users to change their own passwords – eliminating extra tickets
- Offers a variety of password policy enforcement options
- Supports multi-factor authentication
- Syncs passwords in real-time across the cloud and on-premises AD
Cons:
- Best suited for small to medium-sized helpdesk teams
The tool is available for installation on Windows Server and you can also add it to an AWS or Azure account through the marketplace. Try out the package with a 30-day free trial.
Conclusion
That's it for now. The above guide explained how to find the password expiration date of the user in several ways. You can now choose your preferred method to get the user account password expiration date.
AD Password Expiration FAQs
Can you see user passwords in Active Directory?
Active Directory doesn’t allow anyone to see the passwords of accounts. Even if the account and its password were created by the Administrator, that person isn’t able to see the password within the Active Directory environment. If a user forgets a password, the only solution is to reset it, to a known value and then inform the user of that new value with a requirement to change it.
What is the password expiry duration for domain user PC login user?
The password expiration period is set in the security policy settings. The specific value to look for is Domain member: Maximum machine account password age. By default, this value is set to 30 days. The value can be set to any number from 1 to 999. You find this setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. It is possible to remove the requirement by setting the policy for Domain member: Disable machine account password changes.
What happens when password expires in Active Directory?
When a user password expires in Active Directory, the account stays active – it doesn’t get locked. Instead, the next time the user logs in with the existing username and password, validation occurs, but the user is not allowed to move on and access the protected system until a password change notification is acted upon. Password duration can be altered. It is a factor in the Group Policy Management system and can be found in the Default Domain Policy for the domain. It is possible to define a password duration cycle of anywhere between 1 and 999 days. You can set up this value in the Active Directory Administration Center console. Go to the System section, click on Password Container Settings, and then click New and then Password Settings.
