Несмотря на то, что Microsoft убрала требование регулярной смены пароли пользователей из своих рекомендаций безопасности, в большинстве on-prem доменов Active Directory включена политика, ограничивающая срок действия паролей пользователей. Часто пользователи забывают вовремя сменить свой пароль, срок действия которого истек, что вызывает лишние обращения в службы ИТ поддержки.
В этой статье мы рассмотрим, как узнать, когда истекает пароль учетной записи пользователя в домене и как заблаговременно напомнить пользователю о том, что ему нужно сменить свой пароль.
Содержание:
- Как узнать срок действия пароля пользователя в Active Directory?
- Политика оповещения об окончании срока действия пароля
- Вывести уведомление об истечении срока пароля с помощью PowerShell
- PowerShell: отправка почтовых уведомлений об истечении пароля на e-mail
Как узнать срок действия пароля пользователя в Active Directory?
Срок действия пароля пользователя в домене определяется настройками парольной политики AD. Текущие настройки политики срока действия паролей в домене можно получить с помощью команды PowerShell:
Get-ADDefaultDomainPasswordPolicy|select MaxPasswordAge
В нашем примере максимальный срок действия пароля пользователя в домене – 60 дней.
Также опционально для некоторых пользователей/групп могут быть включены гранулированные политики паролей (Fine-Grained Password Policy) с другими настройками срока действия пароля.
В свойствах пользователя в Active Directory содержится только атрибут pwdLastSet, который содержит дату последней смены пароля ( можно посмотреть в консоли ADUC -> вкладка редактор атрибутов AD).
Узнать дату окончания срока действия пароля пользователя в домене можно с помощью PowerShell (требуется модуль AD PowerShell), который позволяет получить значение атрибута msDS-UserPasswordExpiryTimeComputed. Этот constructed-атрибут автоматически вычисляется на основании времени последней смены пароля и парольной политики:
Get-ADUser -Identity a.ivanov -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, PasswordNeverExpires, PasswordExpired |Select-Object -Property Name,PasswordLastSet, PasswordNeverExpires, PasswordExpired,@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Командлет возвращает такие значения таких атрибутов:
- PasswordLastSet — время последней смены пароля;
- PasswordNeverExpires – возвращает True, если пароль пользователя никогда не устаревает (бессрочный пароль). Это один из битовых значений атрибута UserAccountControl);
- PasswordExpired – возвращает True, если пароль пользователя устарел;
- ExpiryDate – дата, когда истечет срок действия пароля
Вывести всех пользователей из определенного контейнера (OU) AD, срок действия пароля которых уже истек:
$Users = Get-ADUser -SearchBase 'OU=Users,OU=SPB,DC=corp,DC=winitpro,DC=ru' -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet
$Users | select Name, @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, PasswordLastSet | where ExpirationDate -lt (Get-Date)
Если значение msDS-UserPasswordExpiryTimeComputed равно 0, значит pwdLastSet пустой (null) или равен 0 (пароль пользователя никогда не менялся).
Политика оповещения об окончании срока действия пароля
В Windows можно включить параметр групповой политики, позволяющий оповещать пользователей о необходимости сменить пароль.
Политика называется Interactive logon: Prompt user to change password before expiration и находится в разделе GPO Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
По умолчанию эту политика включена на уровне локальной групповой политики Windows и уведомления начинают появляться за 5 дней до истечения срока действия пароля. Вы можете изменить количество дней, в течении которых должно появляться уведомление о смене пароля.
После включения этой политики, если пароль пользователя истекает, то при входе в трее Windows будет появляться уведомление о необходимости сменить пароль.
Consider changing your password Your password will expire in xx days.
Это сообщение появляется на несколько секунд и часто игнорируется пользователями. Поэтому вы можете добавить дополнительное всплывающее уведомление о необходимости смены пароля.
Вывести уведомление об истечении срока пароля с помощью PowerShell
Следующий PowerShell скрипт будет выводить всплывающее уведомление с предложением сменить пароль, если он истекает менее чем через 5 дней:
$DaysLeft = 5
try{
Add-Type -AssemblyName PresentationCore,PresentationFramework,WindowsBase,system.windows.forms
} catch {
Throw "Failed to load Windows Presentation Framework assemblies."
}
$curruser= Get-ADUser -Identity $env:username -Properties 'msDS-UserPasswordExpiryTimeComputed','PasswordNeverExpires'
if ( -not $curruser.'PasswordNeverExpires') {
$timediff=(new-timespan -start (get-date) -end ([datetime]::FromFileTime($curruser."msDS-UserPasswordExpiryTimeComputed"))).Days
if ($timediff -lt $DaysLeft) {
$msgBoxInput = [System.Windows.MessageBox]::Show("Ваш пароль истекает через "+ $timediff + " дней!`nХотите сменить пароль сейчас?","Внимание!","YesNo","Warning")
switch ($msgBoxInput) {
'Yes' {
$Console = quser | Select-String -Pattern ">"| Select-String -Pattern "console" -Quiet
if ( $Console ) {
Start-Process -FilePath powershell -ArgumentList "-command Set-ADAccountPassword -Identity $env:username ; pause"
}
else {
cmd /c "C:\Windows\explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"
}
}
'No' { }
}
}
}
Если до истечения срока действия пароля пользователя осталось менее 5 дней, скрипт предложит пользователю сменить пароль. Если пользователь нажимает Да, выполняется проверка залогинен ли пользователь на консоль компьютера:
Данный PowerShell скрипт можно запускать по расписанию через планировщик задач, поместить автозагрузку или запускать как logon скрипт групповых политик.
Однако это будет работать только на компьютерах, добавленных в домен Active Directory. Если пользователь подключается к домену через VPN (и вы не можете настроили запуск VPN до входа в Windows) или веб клиенты (типа OWA), он не увидит уведомления о приближении даты окончания срока действия пароля. В этом случае можно оповещать пользователей об истечении пароля по почте.
PowerShell: отправка почтовых уведомлений об истечении пароля на e-mail
С помощью PowerShell вы можете настроить отправку уведомлений на email пользователям о том, что срок действия их пароля истекает.
$Sender = "[email protected]"
$Subject = 'Внимание! Скоро истекает срок действия Вашего пароля!'
$BodyTxt1 = 'Срок действия Вашего пароля для'
$BodyTxt2 = 'заканчивается через '
$BodyTxt3 = 'дней. Не забудьте заранее сменить Ваш пароль. Если у вас есть вопросы, обратитесь в службу HelpDesk.'
$smtpserver ="smtp.domain.com"
$warnDays = (get-date).adddays(7)
$2Day = get-date
$Users = Get-ADUser -SearchBase 'OU=Users,DC=corp,DC=winitpro,DC=ru' -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, EmailAddress, Name | select Name, @{Name ="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, EmailAddress
foreach ($user in $users) {
if (($user.ExpirationDate -lt $warnDays) -and ($2Day -lt $user.ExpirationDate) ) {
$lastdays = ( $user.ExpirationDate -$2Day).days
$EmailBody = $BodyTxt1, $user.name, $BodyTxt2, $lastdays, $BodyTxt3 -join ' '
Send-MailMessage -To $user.EmailAddress -From $Sender -SmtpServer $smtpserver -Subject $Subject -Body $EmailBody
}
}
У командлета Send-MailMessage есть параметр -Attachment. Он позволяет прикреплять к письму файл с инструкцией о том, как пользователь может выполнить смену пароля в вашей сети.
Скрипт проверяет всех активных пользователей домена с истекающими паролями. За 7 дней до истечения пароля пользователю начинают отправляться письма на email адрес, указанный в AD (атрибут должен быть заполнен). Письма отправляются до тех пор, пока пароль не будет изменен или просрочен.
Данный PowerShell скрипт нужно запускать регулярно на любом компьютере/сервере домена (проще всего через Task Scheduler). Естественно, нужно на вашем SMTP сервере добавить IP адрес хоста, с которого рассылаются письма, в разрешенные отправители без аутентификации.
While working on a windows environment, Password Expiration is one of the most common issues that domain users face when logging in due to password group policies.
By default, the Windows domain user account is configured to expire passwords after a specific amount of time-based on the group policy and every user will be notified 2 to 3 weeks prior to the password expiring.
If you miss this notification and don’t change your password, your account will be Locked Out.
As a System Administrator, you will need to keep track of all user accounts and their expiration dates and you will most likely need to update passwords at regular intervals for security reasons.
To prevent users from getting locked out, you should prepare a list of all user accounts along with when the password was last set and when the password will expire next.
Lucky for you, there is an easy way to find all of this information using PowerShell.
In this tutorial, we’ll show you how to check password expiration dates in Active directory with PowerShell.
Check User Password Expiration Date with Net User Command
You can display detailed information of a specific users’ Password Expiration using the following syntax:
net user USERNAME /domain
For example, to display the password expiration information of the user “hitesh” run the following command in the PowerShell:
net user hitesh /domain
Example:
The above command will display user account information such as when the password was last set, when the password expires, and so on.
If you want to filter the output from the above command and display only password expiration dates, then you can use the find command in conjunction with the net user command as shown below:
net user hitesh /domain | find "Password expires"
Example:
Check All User Password Expiration Date with PowerShell
You can also display all user password expiration dates using PowerShell.
For example, to find the Password Expiration Date of all users in your Domain, you can run the following command:
get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
Example:
If you want to display the expiration date rather than the password last set date, run the following command:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Example:
Check All User Password Expiration Date with PowerShell Script
If you want to check password expiration dates in Active Directory and display password expiration dates with the number of days until the password expires, you can achieve this by creating a PowerShell script.
You can create the PowerShell script by following the below steps:
1. Open your notepad and add the following codes:
Import-Module ActiveDirectory
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
#Filters for all users who's password is within $date of expiration.
$ExpiredUsers = Get-ADUser -Filter {(PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet
$ExpiredUsers
2. Click on the Save as option to save the file.
3. Type a name for the script as user_list.ps1.
4. Click on the Save button to save the file.
Right click on the PowerShell script and click on the Edit button as shown below:
Now, click on the Green arrow button to run the script.
You should see the following screen if it ran successfully:
Conclusion
Congratulations!
You are now able to get an Active Directory user account password expiration date using several methods including using the command line and using Powershell!
There are also a number of tools that offer automated password expiration reminders – see this list of free Active Directory tools.
Are you looking for Windows How To Check When Password Expires? It’s important to know how to check when your Windows password will expire so you can make sure your computer and devices are secure. It’s not complicated, but you will need to understand the procedures for viewing when your password is set to expire. This article will show you how to check when your Windows password will expire and provide some tips on how to keep your account safe. We’ll also talk about the importance of checking password expiration, explain why it’s necessary.
1. Uncover the Expiration Date of Your Windows Password
Are you worried your Windows password may have already expired? Need to know how to figure out when your password expires? Look no further, because uncovering your Windows password expiration date is easier than ever!
To find out when your password will expire, follow these simple steps:
- Access the Control Panel – Click the Windows icon and type ” Control Panel” to access this tool.
- Look for the User Accounts – Scroll down the list of available options and click “User Accounts.”
- Manage Your Credentials – On the left-hand side, select the “Manage your credentials” option. This page will allow you to view and edit any existing Windows credentials.
- Check Your Password Expiration Date – You’ll be able to view the expiration date of your current password.
2. Simple Steps to Checking When Your Windows Password Expires
Keeping your password safe is important for your online privacy, and your Windows set up should not be any different. But how do you know when your Windows password will expire? Here are a couple of simple steps you can take to figure it out:
- Step 1: Check your Password Settings. For most Windows computers, you can find password settings in the User Accounts. Head over to the Start Menu, and simply search for ‘User Accounts’. Once you open this page, you can go into Change Your Password and check your password expiration information there.
- Step 2: Pay Attention to Notification Pop-Up’s. When your password is about to expire, Windows will often give you a notification message, usually within a few weeks time.
Be sure to check your password settings often, as a precautionary measure, to stay on top of your Windows password expiration information. Catching yourself early by doing regular checks can help ensure your password gets changed before it expires.
3. Tips for Making Sure Your Password Doesn’t Expire Unnecessarily
Tip #1: Set an Alarm for Yourself. Setting an alarm for yourself as a reminder when your password is about to expire is an effective way to make sure it doesn’t appear too soon. It gives you more control over the time of expiration, so you can update your password before it expires. You can set the alarm for a few days or weeks before the expiration date, usually dependent on personal preference and system/organization policy.
Tip #2: Use Password Management Services. Password management services are a great way to store passwords and ensure the passwords you create or the ones provided by the system or organization don’t expire unnecessarily. Such services will store your passwords and create reminders when the expiration date is near. This means you won’t have to keep track of all the passwords, and will always be prepared for expiry.
4. Keep Your Windows Account Secure with Regular Password Checks
Having a secure Windows account with a strong and frequent password change is key for computer safety. To maximize protection, it’s important to make sure your password is properly updated on a regular basis. Here are some helpful tips for keeping your Windows account secure:
- Change Your Password Frequently: Change your Windows account password at least every three months. This helps minimize the risk of hackers guessing your password and accessing your account.
- Create a Complex Password: A combination of letters, numbers, and symbols is an optimal way to create an effective password. Adding capital letters helps increase complexity and make it even more difficult for hackers to guess.
- Disable Autofill: Disabling autofill for your Windows account can help eliminate the potential of unauthorized access. Autofill can sometimes fill in your username and password on unsecured websites, so it’s best to disable it on all of your accounts.
By following these simple steps, you can increase the safety of your Windows account. Frequently updating your password and disabling autofill can help protect your accounts and keep your data secure. Taking these steps can help you prevent hacker attacks and avoid costly security breaches.
Maximizing Network Security: The Role of Domain Controllers and Active Directory Users and Computers
A domain controller plays a crucial role in managing a network of users within an organization. User commands and actual users are key components in ensuring the smooth operation of a network, especially when it comes to managing user passwords and their expiration dates.
Active Directory Users and Computers is a tool commonly used for this purpose, offering features such as a user property admin center and default policy settings. Analyzers for password expiration help identify issues with passwords expiring, prompting users to update them before it’s too late. With the option for a 30-day free trial, businesses can test out the platform before committing to it.
Additionally, features like self-service password reset and single sign-on make password management more efficient for both IT administrators and users. The integration of cloud-based systems and compliance management tools further enhances security and control over user accounts and access rights. (Source: Microsoft Active Directory documentation)
Key Points for Checking Windows Password Expiration
| Step | Description |
|---|---|
| 1 | Access Control Panel and click on User Accounts |
| 2 | Manage your credentials to view password expiration date |
| 3 | Check password settings in User Accounts under Change Your Password |
| 4 | Set an alarm for password expiration reminder |
| 5 | Use password management services for password storage |
| 6 | Change password every three months for security |
| 7 | Create a complex password with letters, numbers, and symbols |
| 8 | Disable autofill for enhanced account security |
Q&A
Q: What is the easiest way to check when my Windows password will expire?
A: Checking when your Windows password will expire is easy! You can do it simply by going to the Control Panel, then clicking on User Accounts. From there, you can view your password expiration date.
Q: What is the importance of the command prompt in managing Active Directory password policies?
A: The command prompt is a powerful tool that can be used to manage various aspects of Active Directory, including password policies. By using commands like “net user” and “findstr /i password”, administrators can view and modify user password expiration dates, enforce password policies, and generate detailed password policy reports. (Source: Microsoft Docs)
Q: How can administrators automate password expiration notifications for domain users?
A: Administrators can set up task automation to generate password expiration notifications for domain users. By scheduling commands using tools like PowerShell, administrators can ensure that users receive timely reminders about their expiring passwords. (Source: SolarWinds)
Q: What are some key features of password management tools for Active Directory?
A: Password management tools for Active Directory offer features such as self-service password reset, single sign-on capabilities, and detailed password policy reports. These tools help organizations enforce meaningful password rotation policies and prevent common password issues. (Source: Lepide)
Q: How can businesses ensure efficient password policy enforcement options for their domain users?
A: Businesses can utilize tools like the SolarWinds Admin Bundle for Active Directory to enforce default password policies, customize password settings, and track password expiration dates. By implementing robust password management tools, businesses can strengthen their security posture and protect sensitive data. (Source: SolarWinds)
Q: What are some best practices for managing password expiration policies in Active Directory?
A: To effectively manage password expiration policies in Active Directory, administrators should regularly audit user password expiration dates, set up automated notifications for expiring passwords, and enforce strong password policies. By staying proactive and vigilant, organizations can mitigate the risk of security breaches related to weak passwords. (Source: Microsoft Docs)
Conclusion
If you are constantly forgetting to update your passwords, LogMeOnce Password Manager is a great solution. It is a FREE password manager that allows you to safely store and manage your Windows passwords so you never have to worry about when they expire. It also offers multi-layered authentication protecting your account from vulnerable threats, meaning you can rest easy knowing your passwords are secure. From logging in to your online bank account to creating a secure online shopping account, LogMeOnce allows you to manage your Windows password expiration with ease on one convenient user-friendly platform.
Create your FREE LogMeOnce account today and save time and money when it comes to managing your Windows password expiration for good! Manage your Windows password expiration with LogMeOnce today and receive the ultimate peace of mind when it comes to your online security.
Upgrade your password management system today and ensure the security of your user accounts. Take advantage of our 15-day free trial and experience the benefits of a comprehensive solution for managing password expiration dates, user accounts, access controls, and more.
Don’t wait until it’s too late – protect your business with our advanced features and flexible cross-device environment. Sign up now and stay one step ahead of security threats.
Shiva, with a Bachelor of Arts in English Language and Literature, is a multifaceted professional whose expertise spans across writing, teaching, and technology. Her academic background in English literature has not only honed her skills in communication and creative writing but also instilled in her a profound appreciation for the power of words.
If you are running an online business, passwords are essential for data privacy and security. Therefore, you should have a strong password policy for managing all passwords. It is also recommended to set a strict password expiration policy including, the minimum and maximum age, the minimum length of passwords, and complexity.
After setting up a password expiration policy, every user will have to change their passwords after a certain number of days. You can set the Minimum and Maximum age for every password that meets your organization’s needs.
It is always a good idea to keep track of all users and their expiration dates. So you can change each user’s password at regular intervals to prevent users from getting locked out.
This post will show you how to find the password expiration date for active directory users.
Find the Password Expiration Date for a Single User
The Windows command prompt is the simple and easiest way to find the password expiration date for a single user. You can use the net user command to display the password expiration date of the specified user.
For example, if you want to see the password expiration date of the user Vinay, run the following command on the Windows command prompt:
net user vinay /domain
You should see all important information including, last password, expiration date, access, group membership, and more.
If you want to display only password expiration dates, then you can use the find command to filter the output:
net user vinay /domain | find "Password expires"
This will only display the password expiration date as shown below:
Find the Password Expiration Date for All User
The net user command is only helpful to get the password expiration date for a single user. If you want to display the password expiration date of all active directory users, then the net user command can not help. In this case, you can use Powershell to find the password expiration date of all active directory users.
Open the Powershell window and run the following command:
get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires
You should see the password expiration date of all users on the following screen:
If you want to display the password expiration date with the password last set date, run the following command:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
You should see the following screen:
Find the Password Expiration Date for All Users with Powershell Script
This section will create a PowerShell script to display password expiration dates with the number of days until the password expires.
To create a PowerShell script, open the notepad and add the following code:
Import-Module ActiveDirectory
$MaxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days
$expiredDate = (Get-Date).addDays(-$MaxPwdAge)
#Set the number of days until you would like to begin notifing the users. -- Do Not Modify --
#Filters for all users who's password is within $date of expiration.
$ExpiredUsers = Get-ADUser -Filter {(PasswordLastSet -gt $expiredDate) -and (PasswordNeverExpires -eq $false) -and (Enabled -eq $true)} -Properties PasswordNeverExpires, PasswordLastSet, Mail | select samaccountname, PasswordLastSet, @{name = "DaysUntilExpired"; Expression = {$_.PasswordLastSet - $ExpiredDate | select -ExpandProperty Days}} | Sort-Object PasswordLastSet
$ExpiredUsers
Save the file as file.ps1 name.
Next, right-click on the file.ps1 file as shown below:
Next, click on the Edit button. This will open the file.ps1 file as shown below:
Next, click on the Green icon to run the script. If the script ran successfully, you should see the password expiration date of all users with the number of days until the password expires on the following screen:
Automated password management tools
Many systems administrators prefer time-saving automated password management tools instead of looking after passwords manually. These systems can help you formulate a password policy and then enforce it by interfacing with Active Directory for you.
ManageEngine ADSelfService Plus – FREE TRIAL
An example of such as system is ManageEngine ADSelfService Plus. As well as providing a guided password policy formation system, this tool will implement your password policy and also coordinate passwords across all of your business’s AD domain controllers. This makes creating a single sign-on environment very easy and you can strengthen security by implementing multi-factor authentication with this ManageEngine service.
Pros:
- Empowers users to change their own passwords – eliminating extra tickets
- Offers a variety of password policy enforcement options
- Supports multi-factor authentication
- Syncs passwords in real-time across the cloud and on-premises AD
Cons:
- Best suited for small to medium-sized helpdesk teams
The tool is available for installation on Windows Server and you can also add it to an AWS or Azure account through the marketplace. Try out the package with a 30-day free trial.
Conclusion
That’s it for now. The above guide explained how to find the password expiration date of the user in several ways. You can now choose your preferred method to get the user account password expiration date.
AD Password Expiration FAQs
Can you see user passwords in Active Directory?
Active Directory doesn’t allow anyone to see the passwords of accounts. Even if the account and its password were created by the Administrator, that person isn’t able to see the password within the Active Directory environment. If a user forgets a password, the only solution is to reset it, to a known value and then inform the user of that new value with a requirement to change it.
What is the password expiry duration for domain user PC login user?
The password expiration period is set in the security policy settings. The specific value to look for is Domain member: Maximum machine account password age. By default, this value is set to 30 days. The value can be set to any number from 1 to 999. You find this setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options. It is possible to remove the requirement by setting the policy for Domain member: Disable machine account password changes.
What happens when password expires in Active Directory?
When a user password expires in Active Directory, the account stays active – it doesn’t get locked. Instead, the next time the user logs in with the existing username and password, validation occurs, but the user is not allowed to move on and access the protected system until a password change notification is acted upon. Password duration can be altered. It is a factor in the Group Policy Management system and can be found in the Default Domain Policy for the domain. It is possible to define a password duration cycle of anywhere between 1 and 999 days. You can set up this value in the Active Directory Administration Center console. Go to the System section, click on Password Container Settings, and then click New and then Password Settings.
The Password Expiration Date is often one of the most common issues among Active Directory domain users.
Users have to deal with so many passwords at the same time that they often forget to reset them before they expire.
So, what happens when a password expires in Active Directory?
The account will not be locked, but the user will have to change the password before they can access domain resources.
To deal with these inconveniences, the users or, in most cases, the AD domain administrator can get the user account expiration date and other important details.
Let’s go through two distinct methods: getting the password expiration date of a single Active Directory user account and then also take a look at how to get an entire list of all users at once.
Here is our list of the best tools to manage Active Directory user accounts:
- SolarWinds Admin Bundle for AD – EDITOR’S CHOICE This package of three tools provides easy ways to check on accounts and clear out dead accounts or bulk upload new entries. This package is completely free to use and installs on Windows Server. Access 30-day free trial.
- ManageEngine ADSelfService Plus – FREE TRIAL Saves Help Desk technician time by letting users reset their own passwords and provides a channel to communicate notifications and password policy. Runs on Windows Server. Start a 30-day free trial.
- ManageEngine ADManager Plus – FREE TRIAL Offers unified Active Directory, Exchange and Office 365 password management, reporting, mailbox automation for IT technicians and administrators. Start a 30-day free trial.
- Lepide Auditor This tool automates account administration in AD and sends users reminders to change their account passwords. This is a cloud-based system.
Checking Password Expiration Date with the Net User command
A really easy way to tell when an AD user account password expires is to use the Net User command.
This command is part of the “net commands” that allows you to add, remove, or modify the user account on a computer.
To run “net user,” you need to open the command line interface “cmd” for Windows:
- Open the search bar and type “cmd” or press the “Windows logo + R” keys to open the Run utility, and type “cmd.”
On a command prompt, use the “net user” with the following additional parameters:
net user [username] [/DOMAIN] , where:
- [username]: Determines the name of the user account.
- /DOMAIN: Shows information on the user name account running on the particular domain controller.
- To learn more about the syntax of the command, you can use the “net user /?” command.
- The following screenshot shows an example.
With the command “net user test01 /domain,” we can see the password information for the user test01 for local domain TEST.local.
- Aside from only seeing the password expiration date, you can also see other handy information, such as when the last password was set, when the password can be changed, whether users can change the passwords and more.
List of all AD Users Passwords Expiration Dates with PowerShell
The “net user” command can only be helpful for a single user.
But to get the account and password details for all AD user accounts, you need to run a line of PowerShell code.
There is an Active Directory constructed attribute named “msDS-UserPasswordExpiryTimeComputed,” which can help you get the AD accounts and their password expiration time.
To start, make sure that you have the PowerShell ActiveDirectory module installed and running.
This module allows you to display valuable information stored in AD objects, which includes password settings, expiration date, last time changed, etc.
- Download, Install and Load the RSAT (Remote Server Administration Tools). If it is not already installed, you can follow Microsoft’s Tech guide.
- Make sure that the PowerShell feature is already running.
Press the “Windows logo + R” keys to open the Run utility, and type “Windows PowerShell”. - Using the attribute, “msDS-UserPasswordExpiryTimeComputed,” you can easily get the password expiration date for a single user, with:
Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed' - But this line of code will result in a human unreadable output, so you would need to add the following line to convert the results into a readable format.
{[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}
- Running the same attribute “msDS-UserPasswordExpiryTimeComputed,” with the right filter, you can get a list of Active Directory accounts and their password expiration times.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Source code from TechNet Microsoft.
Free Tools & Utilities
See also: Best Active Directory Monitoring Tools
Further reading: Windows PowerShell Commands Cheat Sheet
After you found the user password expiration dates, there are a couple of free tools that can help you manage all Active Directory user accounts and computers.
Our methodology for selecting a password expiration date management tool for AD
We reviewed the market for Active Directory management systems that can identify the expiration dates for accounts and analyzed options based on the following criteria:
- A fast scan of AD user accounts
- The option to search for a specific account
- An option to identify abandoned accounts
- Systems that notify users of expiring passwords
- A method to communicate password policies to users
- A free tool or a free trial that enables the service to be used for free for a time
- A system that will improve efficiency and save money
With these selection criteria in mind, we identified some key Active Directory utilities, which can be used in combination to create a tight user account password management system that avoids inactive accounts from accumulating.
Manage Users and Keep the AD domain clean
SolarWinds Admin Bundle for AD – 100% Free Download
The free SolarWinds Admin Bundle for Active Directory comes with three tools that help you manage AD accounts and computers.
Key features:
- A suite of tools designed for sysadmins
- Can highlight old accounts for removal
- Aids in auditing user account access
Feature Distinction
What makes SolarWinds Admin Bundle for AD stand out from its alternatives is its free suite of AD management tools designed to enhance AD environments.
Why do we recommend it?
We recommend SolarWinds Admin Bundle for its ability to manage AD accounts efficiently. If you are looking to maintain a clean and organized AD environment, this tool gives you valuable features to check on accounts, clear out dead accounts, and bulk upload new entries.
With this bundle, you can find and remove inactive user accounts and computers, and import users in bulk.
The bundle consists of the following tools:
- Inactive User Account Removal Find accounts that have never been logged in, used, or have been inactive for a long time. You can export the list and remove all inactive AD accounts.
- Inactive Computer Removal Find inactive computers, export the list, and remove them.
- Import Users in Bulk Create AD user accounts in bulk from a CSV or XLS file. You can also create AD accounts and Exchange Mailbox in bulk and simultaneously.
Who is it recommended for?
SolarWinds Admin Bundle for AD is suitable for sysadmins managing a small-to-medium number of AD accounts and computers.
Pros:
- A small suite of tools that add additional features to the default access control in AD
- Helps speed up routine access management tasks when on/offboarding users
- Is completely free – great for smaller environments
Cons:
- Larger networks may require more features
Download: This Tool is 100% FREE for LIFE from their website – We Suggest you download it today Here SolarWinds Admin Bundle for Active Directory and keep your AD domain clean.
EDITOR’S CHOICE
SolarWinds Admin Bundle for AD is our top pick for an AD account management tool because it is completely free to use but it has all the qualities of a system that is worth paying for. This system saves you a lot of time with your AD administration tasks because it can locate dead accounts both those for users and permissions entries for devices. There is also a handy account bulk upload tool in the package, which is one of the few AD uploaders that actually works the first time.
Download: Free Tool
Official Site: https://www.solarwinds.com/free-tools/active-directory-admin-tools-bundle
OS: Windows Server
ManageEngine ADSelfService Plus – FREE TRIAL
ManageEngine ADSelfService Plus offers users the opportunity to reset their own passwords.
Key features:
- Self-password reset portal for users
- Easy to deploy and scale
- Various password reset reminder options
Feature Distinction
What sets ADSelfService Plus apart from other AD management tools is its focus on self-service and multiple password policy enforcement options.
Why do we recommend it?
This tool is recommended as one of the best tools to manage Active Directory user accounts due to its emphasis on IT admin supervision. In addition, it has all the necessary features to manage passwords, including its self-service password reset portal, multi-factor authentication, and password reset reminders.
ManageEngine ADSelfService Plus creates an app portal for each user, based on information in AD. this access system can be delivered in Web format and as a mobile app.
Once the user signs in to the portal, access is granted to all authorized apps without needing to sign in again. The portal provides the opportunity to impose 2FA and it also delivers information on password policies and reasons for lockouts.
These features save a lot of time for support technicians by removing many Help Desk calls and automating credentials-related tasks.
Who is it recommended for?
ManageEngine ADSelfService Plus is recommended for businesses of all sizes, especially those with Help Desk, IT administrators, and technicians. The tool is a great option for those help desk teams looking to improve their password management.
Pros:
- Empowers users to change their own passwords – eliminating extra tickets
- Offers a variety of password policy enforcement options
- Supports multi-factor authentication
- Syncs passwords in real-time across the cloud and on-premises AD
Cons:
- Best suited for small to medium-sized helpdesk teams
You can assess this system for Windows Server with a 30-day free trial.
Download: https://www.manageengine.com/products/self-service-password/download.html
Start 30-day Free Trial!
Automating AD User Password Expiration Notification
ManageEngine ADManager Plus – FREE TRIAL
ManageEngine ADManager Plus provides a system of AD management automation through a series of templates and these include password reset and expiration management.
Key features:
- Supports both AD and Office 365
- Includes detailed password policy reports for auditing
- Offers various user account automation features
Why do we recommend it?
ManageEngine ADSelfService Plus is recommended as one of the best tools to manage Active Directory user accounts because of its exceptional customer service and technical support. In addition, this solution provides fantastic automation capabilities in AD management, including password reset and expiration management.
The ADManager Plus system provides a better interface for Active Directory management than the native AD administration screens. This system lets you synchronize the coordination of DCs for different products, such as network resources and cloud services, including Microsoft 365.
The tool lets you search through attributes of user accounts, such as password statuses and those searches can be automated and run by the software continuously. This creates an alert condition that will let you know when a password expires. You can also use automation to write records to compliance logs.
Pros:
- Unifies the management of several AD DCs
- Provides task automation and alerts
- Includes activity logging for compliance reporting
Cons:
- Not available as a SaaS package
Who is it recommended for?
This tool is recommended for businesses of varying sizes and industries, including retail, healthcare, government, and IT services. Specifically, ADSelfService Plus is well-suited for organizations looking for an efficient solution for AD management.
Download: Get a 30-day free trial of ADManager Plus.
Start 30-day Free Trial!
Lepide Auditor
Another recommended tool is Lepide Auditor. This tool comes with a handy feature that automatically reminds Active Directory users when their password is about to expire.
Key features:
- Automated account creation, removal, and modification
- Scales well as a cloud product
- Password reminder messaging management
Why do we recommend it?
Lepide Auditor is recommended for its user-friendly interface, ease of installation, and effectiveness in auditing IT administration. Its ability to efficiently capture and manage audit data makes it a valuable choice if your business is seeking robust AD management.
Lepide Auditor helps to automate password accounts management by getting the information directly from AD. It creates a report and notifying users via Email when their AD password expires.
Who is it recommended for?
Lepide Auditor is recommended for IT professionals and departments within mid-sized to large organizations. It is particularly useful in industries like IT services, manufacturing, and telecommunications, to help them stay on top of security measures and compliance.
Pros:
- A simple way to see last login, name and CN path of multiple accounts at once
- Can quickly create CSVs or HTML format reports
- A simple wizard makes it easy to set custom threshold-based alerts
Cons:
- Similar tools allow for more functionality like bulk password changes and unlocks
Download: Lepide Auditor offers a fully functional free trial for 15 days.
Conclusion
There are two simple methods to get Active Directory users password expiration date, the Net User command, and a PowerShell attribute:
- The Net User command method is used to get the password expiration date for a single user. For this method, you would also need to access the AD user account or have a user run it from their machine.
- The PowerShell command is more powerful and easier to run, as long as you have the PowerShell AD module installed, you can copy/paste the one-line code and get a full list of all the users with their expiration date.
There are also some tools like the free SolarWinds Admin Bundle for Active Directory which helps you keep your AD clean and automate user accounts creation.
The other useful tool is the commercial software Lepide Auditor, which can help you automate AD password expiration notifications.
Password Expiration FAQs
Can Active Directory send email when password expires?
Active Directory can be set up to notify users when their passwords are about to expire. However, this will appear as a system notification and only when the user logs in to the corporate network. It is possible to use a PowerShell script to detect upcoming expiration and generate an email to each user. However, there is no automated process for this action within Active Directory.
How do I generate password expiration for a user in Active Directory PowerShell?
Get a list of AD user accounts and their expiration dates with the following PowerShell script:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}