Password Expiration for Active Directory Users

Identifying when your user’s password will expire allows you to plan for when they do. This guide shows you several ways to find out when your active directory user passwords with expire with AD Password Management.

Password expiration can be an inconvenience for both users and administrators, but there are two straightforward and accessible ways to discover when your AD user passwords will expire.

The first method relies upon Command Prompt and can be used by either an administrator or even by the user themselves on their device (So long as your users are allowed access to cmd). This method involves a simple command typed into cmd, and it will return the password expiration date for a single user.

The second method uses PowerShell to identify all of your user’s expiration dates in one definitive list. This is very useful if you want to take a complete account of when to expect your user passwords to expire. Again, you’ll need to enter a relatively long script, but we’ve included the script details below.

Several AD password management solutions expand on your available options. These management systems can help you administrate your password expiration dates through a more streamlined and all-encompassed system. We’ve gone through a few so you can compare your options.

Netuser CMD Command

The command prompt method is rapid and easy and relies only upon the fact that you have access to cmd. However, it will only generate the information for a single user at a time, meaning it’s beneficial for individual cases but slow if you need the data for multiple users.

Simply open up cmd and enter the following command:

net user [USERNAME] /domain

Where [USERNAME] is the specific user you want to find data for, and /domain runs the command from the domain controller. This command returns various information regarding the user’s network credentials, including details regarding their password. In addition, it showed when the password was the last set on having if it expires and when it will expire.

The ‘net user’ command in cmd is highly flexible and has many switches that you can append to modify a user’s network credentials.
For example, you can add the following:

net user [USERNAME] [/DOMAIN] /expires:[DATE / never]

You may either enter a specific [DATE] or simply enter ‘never’ to set the expiration date for the specified user manually. This can be very helpful if you want to unify the expiration date for a handful of users in a specific department, for example. Also, note that the date must be entered in the ‘mm/dd/yyyy’ US format to be recognized properly, otherwise you might end up with the incorrect dates assigned.

Step-by-Step

1. Press the Windows key and type ‘cmd’, then press enter to open up Command Prompt.
2. Type in the following command:
   net user [USERNAME] [/DOMAIN]
   Where [USERNAME] is the specific user you want to find data for, and [/DOMAIN] runs the command via the domain controller.
3. Find the ‘Password expires’ result to identify the exact time and date.

PowerShell

If you want to identify the expiration date for multiple users at once, the best free method is through PowerShell. By taking advantage of PowerShell’s robust scripting interface, you can enter a script that generates a comprehensive list of all of your user’s password expiration dates. You can even export the data to a CSV file if you desire.

Before proceeding with this method, you’ll need to ensure that you have the PowerShell Active Directory module installed on your domain controller. For example, if you have RSAT installed on your domain controller, you already have the PowerShell AD module.

The script you’ll need to enter is listed below:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |

Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}

More information about the above command can be found here. But here’s a simplified breakdown of what the script does:

Get-ADUser

This simply generates a list of your active directory users.

-filter {Enabled -eq $True -and PasswordNeverExpires -eq $False}

This filters the list to ensure it only includes users whose passwords can expire.

-Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed”

This defines the properties that are included in the list.

Select-Object -Property […]

The second half of the script defined what to output and how it is formatted.

If you need some assistance with PowerShell, check out this PowerShell cheat sheet that can help you get to terms with some commonly used commands.

Exporting as CSV

You can export the data into a CSV file by appending the following command:

| export-csv [FILEPATH]

You’ll need to add this to the script before the section that defines the details of the output. So your script will end up looking something like this:

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” |
| export-csv [FILEPATH] Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}

Where the [FILEPATH] is the output destination for the CSV file.

Step-by-Step

1. Ensure you have RSAT installed on your domain controller.
2. Press the Windows key and type ‘powershell’, then press enter to open up PowerShell. If you want to export the list as a CSV, you might need to run PowerShell as an administrator.
3. Enter the following script:
   Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties “DisplayName”, “msDS-UserPasswordExpiryTimeComputed” | Select-Object -Property “Displayname”,@{Name=”ExpiryDate”;Expression={[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}}
4. This will generate a comprehensive list of all of your AD users and their password expiration dates.

AD Password Management Solutions

If the above two methods aren’t enough for your network administration needs, you may want to investigate the various password management solutions available online. These programs typically help to navigate and report user data within your network and are very useful if you’re unfamiliar with systems such as PowerShell or more advanced cmd navigation.

We’ve covered a few of the meaningful solutions here. Your choice of solution will depend on your budget and scope. If you’re managing a medium to large-scale network, these might be worth investigating further.

Here is our list of the top AD Password Management solutions:

1. ManageEngine ADSelfService Plus (FREE TRIAL) A single sign-on service that provides a user portal with a password reset function. Runs on Windows Server. Access 30-day free trial.
2. ADManager Plus Web-based AD management solution that can provide password expiration user reports.
3. Netwrix Password Expiration Notifier Freeware solution that can provide automated email reports to administrators on soon-to-expire passwords.
4. Lepide Data Security Platform An enterprise-grade solution for fully-featured password expiration reporting that covers more than just an active directory.

The leading AD Password Management Solutions

1. ManageEngine ADSelfService Plus (FREE TRIAL)

ManageEngine ADSelfService Plus removes the need for your technicians to deal with user account password issues because it allows users to sort those tasks out themselves. You don’t need to worry about impending password expiration or lockouts due to poor password strength or repeated login attempts because the user portal does those things.

Key Features:

• User self-service for password issues
• Automated password expiration management
• Integrated 2FA for secure access
• Compatible with Windows Server and cloud platforms

Why do we recommend it?

We endorse ManageEngine ADSelfService Plus because it offers a user-friendly solution that empowers individuals to manage their passwords, reducing the IT department’s workload. Users can prevent password-related issues, such as expirations or lockouts, through the self-service portal, fostering a secure environment. The integrated two-factor authentication (2FA) enhances security and assists users in recovering locked accounts, a feature we found useful during our testing. ADSelfService Plus runs on Windows Server and cloud platforms, providing flexibility for various organizational needs.

The portal is a channel to communicate password policies and send notifications telling users to rotate passwords or giving reasons for a lockout. The ADSelfServicePlus system includes a 2FA mechanism for user authentication. This allows users that have been locked out after excessive failed login attempts to regain access without the support of technicians. The second device in the 2FA allows the system to recognize that the request s from a genuine user and not a hacker trying credentials combinations.

Who is it recommended for?

ManageEngine ADSelfService Plus is an ideal choice for organizations aiming to optimize IT operations and enhance security by allowing users to handle password issues independently. During our testing, we observed that this tool effectively reduces the IT team’s workload and ensures users can manage their passwords with ease. The inclusion of 2FA is especially valuable for organizations seeking additional security layers. With support for Windows Server and cloud hosting on platforms like AWS and Azure, it caters to a diverse range of businesses, making it a versatile solution.

ManageEngine ADSelfService Plus runs on Windows Server and can also be hosted as services on AWS or Azure. There is a Free edition for up to 50 user accounts. You can get a 30-day free trial of the full version.

2. ADManager Plus

ADManager Plus is a full featured web-based active directory management solution that comes kitted with a wide variety of tools for managing your active directory. One of its main features is the comprehensive password management system.

Key Features:

• Web-based AD management
• Automated password control
• Expiration user reports
• Streamlined user interface

Why do we recommend it?

We recommend ADManager Plus for its comprehensive web-based active directory management tools, particularly its robust password management system. This solution simplifies password control and provides valuable reporting tools for identifying passwords that are about to expire. ADManager Plus streamlines this process, making it more user-friendly and efficient compared to manual PowerShell methods. During our own testing, we found it to be a professional and practical solution for managing a large number of network users.

The password management system includes features such as automated password control and reporting tools that can identify when soon-to-expire passwords will need to be changed. This effectively does the same as the PowerShell method listed above but in a more streamlined and easy-to-use.

Who is it recommended for?

ADManager Plus is a suitable choice for organizations that need an advanced and user-friendly active directory management solution. It’s particularly valuable for those with a substantial user base, where the management of user passwords can be challenging. Our testing confirmed its professional quality and efficiency in managing user passwords. By offering a free trial, ADManager Plus allows organizations to experience its benefits before committing to a full implementation.

Suppose you handle many users on your network and want a more professional solution instead of simple CSV exports via a PowerShell script. In that case, you may want to check out the free trial for ADManager Plus.

Step-by-Step

1. Install and integrate ADManager Plus into your network.
2. Open ADManager Plus, and select the ‘Reports Tab’.
3. Click the ‘soon-to-expire user password’ report.
4. Specify the domain and period, then click generate.

3. Netwrix Password Expiration Notifier

Netwrix provides a freeware solution that allows administrators to produce scheduled reports that summarise AD user passwords that are about to expire. This simple solution is a tad barebone but is a far more professional method than a simple script running via PowerShell.

Key Features:

• Automated email reports
• User expiration notifications
• Free solution for password management

Why do we recommend it?

We recommend Netwrix Password Expiration Notifier as a practical solution for administrators seeking scheduled reports summarizing impending password expirations in Active Directory. This freeware offers a more professional approach than basic PowerShell scripts. Notably, it provides the valuable feature of automatic user notifications via email when their passwords are about to expire. Our own testing confirmed its utility and simplicity in managing password expirations.

One of the main features also allows you to set up user notifications that automatically alert your users via email when their passwords expire. This is very useful if you have many users and want to help them handle their password resets.

Who is it recommended for?

Netwrix Password Expiration Notifier is recommended for administrators dealing with a considerable number of users and wishing to streamline password expiration notifications. Our testing demonstrated its practicality and user-friendliness in this context. It’s a straightforward tool that serves its purpose well, despite having a basic interface. While there is a more advanced paid version available, the free version is a permanent and effective solution for managing password expirations in Active Directory.

The software is on the older side, but the interface is basic enough for its purpose. The software can be downloaded entirely for free permanently. A more advanced paid-for version called the Netwrix Auditor for Active Directory also adds a few features such as monitoring for multiple domains/OUs.

Step-by-Step

1. Install Netwrix Password Expiration Notifier in your network.
2. Open the software, tick ‘send a report to administrators/managers’, and enter the email addresses of each individual you want to receive the report.
3. Set the ‘list users whose accounts or passwords expire in X days or less’ depending on your preferences.
4. Tick the ‘only report on users with expiring accounts’ to filter the list.
5. Hit Generate, and you will send the report to the specified email addresses.

4. Lepide Data Security Platform

The Lepide Data Security Platform includes a very efficient password management suite that can allow you as an administrator to construct reports on password expiration dates. It can also automate password reminders to email your users when their passwords are due to expire.

Key Features:

• Comprehensive password management
• Supports multiple platforms
• Modernized user interface
• Enterprise-scale solution

Why do we recommend it?

Lepide Data Security Platform is recommended for its robust features, making it an ideal choice for enterprise-scale businesses. We recommend the tool for administrators looking for a comprehensive and modernized solution to manage password expiration in various platforms, including Active Directory, Office 365, Sharepoint, and AWS. This platform offers efficient password management with the ability to create reports on password expiration dates and automate reminders to users.

The Data Security Platform provides a more comprehensive and modernized alternative to all other options listed on this guide. If you’re looking for the most feature-complete method of controlling your user passwords, this is it. This guide focuses on active directory password expiration, but the Lepide solution expands on that to include Office 365, Sharepoint, AWS, and various other platforms. It is the true enterprise solution to your password management options.

Who is it recommended for?

The Lepide Data Security Platform is recommended for network administrators working in enterprise-scale businesses who require a complete solution for password management across multiple platforms. While the free trial is available for evaluation, this platform is suitable for organizations seeking an enterprise-level solution to manage password expirations efficiently. Our testing verified its effectiveness in handling complex password management needs.

They have a free trial available for their software, and it might be worth investigating this solution if you’re a network administrator for an enterprise-scale business.

Step-by-Step

1. Install the Data Security Platform and set up the proper service credentials.
2. Open the Data Security Platform and select the third option from the left toolbar to select ‘user & entity behavior analytics’.
3. Navigate to the domain and select ‘active directory reports’ for the list.
4. Select ‘user password expiration reminder’ from the list, then select the ‘users with soon to expire password’ option.
5. Specify the number of days at the top of the report, then select Generate Report.

In Summary

There are many ways to identify the password expiration date for your active directory users, and we covered the main ways in this guide.

The most straightforward solution is to use the command prompt simply, but not recommended if you need to identify the expiration date for more than a handful of users at a time.

For more users, you might consider using PowerShell or the Netwrix Password Expiration Notifier freeware solution, depending on your scope and familiarity with PowerShell’s comprehensive scripting tools.

If you’re handling administration for a large-scale business, you might want to investigate ADManager Plus to provide a more feature-filled solution. Alternatively, if you have the budget, and need to manage an enterprise-level network that spans password expiration in more than just an active directory, consider using the Lepide Data Security Platform.