Find Password Expiration complete for Active Directory Users

Find Password Expiration complete for Active Directory Users

Identifying when your user’s password will expire allows you to plan for when they do. This guide shows you several ways to find out when your active directory user passwords will expire.

Password expiration can be an inconvenience for both users and administrators, but there are two straightforward and accessible ways to discover when your AD user passwords will expire.

The first method relies upon Command Prompt and can be used by either an administrator or even by the user themselves on their device (So long as your users are allowed access to cmd). This method involves a simple command typed into cmd, and it will return the password expiration date for a single user.

The second method uses PowerShell to identify all of your user’s expiration dates in one definitive list. This is very useful if you want to take a complete account of when to expect your user passwords to expire. Again, you’ll need to enter a relatively long script, but we’ve included the script details below.

Several AD password management solutions expand on your available options. These management systems can help you administrate your password expiration dates through a more streamlined and all-encompassed system. We’ve gone through a few so you can compare your options.

Netuser CMD Command

Netuser CMD /?

The command prompt method is rapid and easy and relies only upon the fact that you have access to cmd. However, it will only generate the information for a single user at a time, meaning it’s beneficial for individual cases but slow if you need the data for multiple users.

Simply open up cmd and enter the following command:

net user [USERNAME] /domain

Where [USERNAME] is the specific user you want to find data for, and /domain runs the command from the domain controller. This command returns various information regarding the user’s network credentials, including details regarding their password. In addition, it showed when the password was the last set on having if it expires and when it will expire.

Netuser CMD Output

The ‘net user’ command in cmd is highly flexible and has many switches that you can append to modify a user’s network credentials.
For example, you can add the following:

net user [USERNAME] [/DOMAIN] /expires:[DATE / never]

You may either enter a specific [DATE] or simply enter ‘never’ to set the expiration date for the specified user manually. This can be very helpful if you want to unify the expiration date for a handful of users in a specific department, for example. Also, note that the date must be entered in the ‘mm/dd/yyyy’ US format to be recognized properly, otherwise you might end up with the incorrect dates assigned.

Step-by-Step

  1. Press the Windows key and type ‘cmd’, then press enter to open up Command Prompt.
  2. Type in the following command:
    net user [USERNAME] [/DOMAIN]
    Where [USERNAME] is the specific user you want to find data for, and [/DOMAIN] runs the command via the domain controller.
  3. Find the ‘Password expires’ result to identify the exact time and date.

PowerShell

Powershell Get-ADUser

If you want to identify the expiration date for multiple users at once, the best free method is through PowerShell. By taking advantage of PowerShell’s robust scripting interface, you can enter a script that generates a comprehensive list of all of your user’s password expiration dates. You can even export the data to a CSV file if you desire.

Before proceeding with this method, you’ll need to ensure that you have the PowerShell Active Directory module installed on your domain controller. For example, if you have RSAT installed on your domain controller, you already have the PowerShell AD module.

The script you’ll need to enter is listed below:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |

Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}

Powershell Get-ADUser Output

More information about the above command can be found here. But here’s a simplified breakdown of what the script does:

Get-ADUser

This simply generates a list of your active directory users.

-filter {Enabled -eq $True -and PasswordNeverExpires -eq $False}

This filters the list to ensure it only includes users whose passwords can expire.

-Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed”

This defines the properties that are included in the list.

Select-Object -Property […]

The second half of the script defined what to output and how it is formatted.

If you need some assistance with PowerShell, check out this PowerShell cheat sheet that can help you get to terms with some commonly used commands.

Exporting as CSV

You can export the data into a CSV file by appending the following command:

| export-csv [FILEPATH]

You’ll need to add this to the script before the section that defines the details of the output. So your script will end up looking something like this:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
| export-csv [FILEPATH] Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}

Where the [FILEPATH] is the output destination for the CSV file.

Step-by-Step

  1. Ensure you have RSAT installed on your domain controller.
  2. Press the Windows key and type ‘powershell’, then press enter to open up PowerShell. If you want to export the list as a CSV, you might need to run PowerShell as an administrator.
  3. Enter the following script:
    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” | Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}
  4. This will generate a comprehensive list of all of your AD users and their password expiration dates.

AD Password Management Solutions

If the above two methods aren’t enough for your network administration needs, you may want to investigate the various password management solutions available online. These programs typically help to navigate and report user data within your network and are very useful if you’re unfamiliar with systems such as PowerShell or more advanced cmd navigation.

We’ve covered a few of the meaningful solutions here. Your choice of solution will depend on your budget and scope. If you’re managing a medium to large-scale network, these might be worth investigating further.

Here is our list of the three AD password management solutions:

  1. ADManager Plus Web-based AD management solution that can provide password expiration user reports.
  2. Netwrix Password Expiration Notifier Freeware solution that can provide automated email reports to administrators on soon-to-expire passwords.
  3. Lepide Data Security Platform An enterprise-grade solution for fully-featured password expiration reporting that covers more than just an active directory.

1. ADManager Plus

ADManager Plus

ADManager Plus is a full featured web-based active directory management solution that comes kitted with a wide variety of tools for managing your active directory. One of its main features is the comprehensive password management system.

The password management system includes features such as automated password control and reporting tools that can identify when soon-to-expire passwords will need to be changed. This effectively does the same as the PowerShell method listed above but in a more streamlined and easy-to-use.

Suppose you handle many users on your network and want a more professional solution instead of simple CSV exports via a PowerShell script. In that case, you may want to check out the free trial for ADManager Plus.

Step-by-Step

  1. Install and integrate ADManager Plus into your network.
  2. Open ADManager Plus, and select the ‘Reports Tab’.
  3. Click the ‘soon-to-expire user password’ report.
  4. Specify the domain and period, then click generate.

2. Netwrix Password Expiration Notifier

Netwrix Password Expiration Notifier

Netwrix provides a freeware solution that allows administrators to produce scheduled reports that summarise AD user passwords that are about to expire. This simple solution is a tad barebone but is a far more professional method than a simple script running via PowerShell.

One of the main features also allows you to set up user notifications that automatically alert your users via email when their passwords expire. This is very useful if you have many users and want to help them handle their password resets.

The software is on the older side, but the interface is basic enough for its purpose. The software can be downloaded entirely for free permanently. A more advanced paid-for version called the Netwrix Auditor for Active Directory also adds a few features such as monitoring for multiple domains/OUs.

Netwrix Password Setup

Step-by-Step

  1. Install Netwrix Password Expiration Notifier in your network.
  2. Open the software, tick ‘send a report to administrators/managers’, and enter the email addresses of each individual you want to receive the report.
  3. Set the ‘list users whose accounts or passwords expire in X days or less’ depending on your preferences.
  4. Tick the ‘only report on users with expiring accounts’ to filter the list.
  5. Hit Generate, and you will send the report to the specified email addresses.

3. Lepide Data Security Platform

Lepide Data Security Platform

The Lepide Data Security Platform includes a very efficient password management suite that can allow you as an administrator to construct reports on password expiration dates. It can also automate password reminders to email your users when their passwords are due to expire.

The Data Security Platform provides a more comprehensive and modernized alternative to all other options listed on this guide. If you’re looking for the most feature-complete method of controlling your user passwords, this is it. This guide focuses on active directory password expiration, but the Lepide solution expands on that to include Office 365, Sharepoint, AWS, and various other platforms. It is the true enterprise solution to your password management options.

They have a free trial available for their software, and it might be worth investigating this solution if you’re a network administrator for an enterprise-scale business.

Step-by-Step

  1. Install the Data Security Platform and set up the proper service credentials.
  2. Open the Data Security Platform and select the third option from the left toolbar to select ‘user & entity behavior analytics’.
  3. Navigate to the domain and select ‘active directory reports’ for the list.
  4. Select ‘user password expiration reminder’ from the list, then select the ‘users with soon to expire password’ option.
  5. Specify the number of days at the top of the report, then select Generate Report.

In Summary

There are many ways to identify the password expiration date for your active directory users, and we covered the main ways in this guide.

The most straightforward solution is to use the command prompt simply, but not recommended if you need to identify the expiration date for more than a handful of users at a time.

For more users, you might consider using PowerShell or the Netwrix Password Expiration Notifier freeware solution, depending on your scope and familiarity with PowerShell’s comprehensive scripting tools.

If you’re handling administration for a large-scale business, you might want to investigate ADManager Plus to provide a more feature-filled solution. Alternatively, if you have the budget, and need to manage an enterprise-level network that spans password expirations in more than just an active directory, consider using the Lepide Data Security Platform.

Leave a Reply