If you are running an online business, passwords are essential for data privacy and security. Therefore, you should have a strong password policy for managing all passwords. It is also recommended to set a strict password expiration policy including, the minimum and maximum age, the minimum length of passwords, and complexity.
After setting up a password expiration policy, every user will have to change their passwords after a certain number of days. You can set the Minimum and Maximum age for every password that meets your organization’s needs.
It is always a good idea to keep track of all users and their expiration dates. So you can change each user's password at regular intervals to prevent users from getting locked out.
This post will show you how to find the password expiration date for active directory users.
Find the Password Expiration Date for a Single User
The Windows command prompt is the simple and easiest way to find the password expiration date for a single user. You can use the net user command to display the password expiration date of the specified user.
For example, if you want to see the password expiration date of the user Vinay, run the following command on the Windows command prompt:
net user vinay /domain
You should see all important information including, last password, expiration date, access, group membership, and more.
If you want to display only password expiration dates, then you can use the find command to filter the output:
net user vinay /domain | find "Password expires"
This will only display the password expiration date as shown below:
Find the Password Expiration Date for All User
The net user command is only helpful to get the password expiration date for a single user. If you want to display the password expiration date of all active directory users, then the net user command can not help. In this case, you can use Powershell to find the password expiration date of all active directory users.
Open the Powershell window and run the following command:
get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
You should see the password expiration date of all users on the following screen:
If you want to display the password expiration date with the password last set date, run the following command:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
You should see the following screen:
Find the Password Expiration Date for All Users with Powershell Script
This section will create a PowerShell script to display password expiration dates with the number of days until the password expires.
To create a PowerShell script, open the notepad and add the following code:
Import-Module ActiveDirectory
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
#Filters for all users who's password is within $date of expiration.
$ExpiredUsers = Get-ADUser -Filter {(PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet
$ExpiredUsers
Save the file as file.ps1 name.
Next, right-click on the file.ps1 file as shown below:
Next, click on the Edit button. This will open the file.ps1 file as shown below:
Next, click on the Green icon to run the script. If the script ran successfully, you should see the password expiration date of all users with the number of days until the password expires on the following screen:
Automated password management tools
Many systems administrators prefer time-saving automated password management tools instead of looking after passwords manually. These systems can help you formulate a password policy and then enforce it by interfacing with Active Directory for you.
ManageEngine ADSelfService Plus – FREE TRIAL
An example of such as system is ManageEngine ADSelfService Plus. As well as providing a guided password policy formation system, this tool will implement your password policy and also coordinate passwords across all of your business’s AD domain controllers. This makes creating a single sign-on environment very easy and you can strengthen security by implementing multi-factor authentication with this ManageEngine service.
The tool is available for installation on Windows Server and you can also add it to an AWS or Azure account through the marketplace. Try out the package with a 30-day free trial.
Conclusion
That's it for now. The above guide explained how to find the password expiration date of the user in several ways. You can now choose your preferred method to get the user account password expiration date.