How to Get AD Users Password Expiration Date

In this guide, I’ll show you how to get the password expiration date for Active Directory User Accounts.

This is very easy to do.

I will provide a few examples that go over how to get this information for a single user and how to get the expiration date for all AD users.

Check it out.

Method 1: Using PowerShell to List All Users Password Expiration Date

To query user information with PowerShell you will need to have the AD module installed. If you have the RSAT tools loaded then you are good to go.

To find the date the password was last set, run this command.

get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

In the screenshot below you can see it returns all users, password last set date and if the password never expires.

To display the expiration date rather than the password last set date, use this command.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

You should get similar results like the screenshot below.

To export any of the PowerShell results to a CSV just add | export-csv FILEPATH to the end.

I told you this was going to be easy. The PowerShell commands you can literally copy and past and they should work in your environment. 

Method 2: Using the AD Pro Toolkit

The AD Pro Toolkit includes several Active Directory Tools for reporting and exporting user accounts. It’s very easy to get the password expiration date with this tool. See the steps below.

Step 1. Click on the Users password expiration date report

Open the toolkit, click on reports and then click on the “Users password expiration date” report.

Step 2. Click Run to generate the report

You can choose to generate the report on all domain users or select an OU or group.

The user accounts and the password expiration date will be displayed in the results grid.

If you want to add or remove additional user attributes click the columns button. In this example, I added badPasswordTime, badPWdCount, and pwdLastSet to the report.

After running the tool I get a list of users and additional data from Active Directory if it exists.

Step 3. Export the report

If you want to export the report to CSV, XLSX or PDF click the export button.

Click here to download a free trial of the AD Pro Toolkit.

The toolkit’s Active Directory Reporting Software includes over 200 built-in reports on users, computers, groups, and more.

Method 3: Using the Net User command to Display Password expiresDate

This last method, uses the built in net user command to display a users password expires date. This is useful to quickly check the password expires date for a single domain user account.

Open the windows command prompt and type the command below.

Net user USERNAME /domain

In this example, I’ll use the account robert.allen.

In addition to displaying the password expires date it also provides other useful information such as password last set, when the password can be changed if the account is active, and so on.

Summary

I’ve worked as a System Administrator for years and I’ve never had the need to create a report on users password expiration date. With that said this article is one of the most popular tutorials on my website, so I guess there is a need for it. You should have no problem generating a password expiration date for all domain user accounts using one of the methods from this article.

I’d love to hear your feedback on the use case for this report. Do your computers not notify users the password will expire in x days?

Recommended Tool: Permissions Analyzer for Active Directory

Get instant visibility into user and group permissions in your Active Directory domain.

With Permissions Analyzer you can quickly view assigned and inherited permissions for any user or group.

Don’t let permission problems slow you down or put your data at risk. Get Permissions Analyzer for Active Directory today and take control of your permission management.

Download Free Tool

61 thoughts on “How to Get AD Users Password Expiration Date”

  1. So I have a separate OU users in a different user that I want to see when there password expires.
    Were would I make the change for this with in a domain tree?

    Reply
    • How do I get the expiration date for few users that I have in a csv format using method 2? I know the command mentioned in here will give me the list of all the users in my org.

      Reply
  2. The second method is more accurate if you have Fine-grained Password Policies enabled in the domain.

    Net Use only shows the result from the Default Domain Policy.

    Reply
    • Avatar photo

      Good Tip. Thanks for the comment.

      Reply
  3. Found your “Method two” very useful, thanks for publishing!

    Reply
    • Avatar photo

      Awesome ❗ ❗

      Reply
  4. Nice tips! 🙂

    Reply
  5. How to get especially service account password expire date.

    Reply
  6. EXCELLENT = Do you know how to filter by a date ?
    say passwordlastset > today-2

    Reply
    • Add
      Sort-Object -property ExpiryDate

      Reply
    • $dayb4yesterday = (get-date).AddDays(-2)
      get-aduser -filter {passwordlastset -gt $dayb4yesterday}

      Reply
  7. Is there a field like Enabled that we can use to filter out this where this isn’t set for the user that shows up “12/31/1600 7:00:00 PM”.

    Reply
    • Avatar photo

      Yes use the below code to return just the enabled users

      get-aduser -filter {Enabled -eq $TRUE} -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

      Reply
  8. Hi, how do I query if the password change was successful through powershell?
    thanks for this site by the way, it helped guide me quite alot! 🙂

    Reply
  9. Something useful from Method 1:

    $m=’Password expires’;($MyExp = net user $env:USERNAME /domain | %{if($_ -match $m){get-date ($_ -replace $m,”).trim()}});rv m;

    Reply
  10. Great! It was really helpfull!!

    Reply
  11. Nice set of commands/scripts, very helpful!

    Reply
    • Avatar photo

      Thank Jim

      Reply
  12. Timely help! Many thanks.

    Reply
  13. If there are multiple OU’s and you want to find the expiring passwords for a specific OU, how would you do that? I’m guessing with ‘-searhbase’, but not sure how. – Thanks

    Reply
  14. how about specifying the user name in your step 2 query?

    Reply
    • Avatar photo

      Here is an example for a specific user

      get-aduser -Identity Alonso.Hall -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

      Reply
  15. Nice trick but how about to get user properties from different domain?

    Reply
    • Avatar photo

      Use the -server to specify the domain server instance

      Get-ADUser -Filter “Name -eq ‘ChewDavid'” -SearchBase “DC=AppNC” -Properties “mail” -Server lds.Fabrikam.com

      Reply
  16. Method #1 is great. Thanks!!

    Reply
  17. Hi

    I need Only OU level

    Reply
    • Avatar photo

      You can target an OU by using the -searchbase and the DN of the OU.

      Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"

      Reply
      • Hey robert should I put this command in the line with getaduser after the filter parameters?

        Reply
        • Avatar photo

          Hi Lucas,

          I’m not sure what you are asking.

          Reply
          • He was just trying to ask you if the command was all on one line. 🙂

  18. I seem to be having an issue using the -searchbase in the Method-2 above. I keep getting a message ” A parameter cannot be found that matches parameter name ‘SearchBase’. ” Is this possibly a location issue where I am not putting it in the correct location within the Method-2 command?

    Reply
  19. In method 2, is there a way to get the expiring users in the next seven days?

    Reply
    • I am looking for a way to do this as well. I am trying to compile a list of users and when their passwords will expire.

      Reply
  20. Can you do this without using Get-ADUser?

    Reply
  21. I am using the following commandlet to get the list of last password set and then using a variable to get the value and add -365 to it, however this variable is not getting populated.
    I can see the commandlet work and output values but the variable I am using $PWdLastSet.passwordlastset is not getting any value, am I doing something wrong ?

    $PWdLastSet = get-aduser -filter * -properties passwordlastset, passwordneverexpires -SearchBase “OU=Service Accounts,OU=SG1,OU=AT,DC=wt,DC=ad,DC=cit,DC=cc” |ft Name, passwordlastset, Passwordneverexpires

    $expiredDate = $PWdLastSet.passwordlastset.addDays(-365)

    Reply
  22. Can you specify a specific user?

    Reply
    • Avatar photo

      Yes. just use -identity USERNAME. Here is an example

      get-aduser -identity robert.allen -properties passwordlastset, passwordneverexpires | select Name, passwordlastset, Passwordneverexpires

      Reply
    • Get-ADUser Ryan

      Reply
  23. Thanks for sharing this, its helpful.
    Is it possible to trim the expiration date..? Just want the date, without time. if so, can you please help with that..?

    Reply
  24. Thanks for sharing this stuff. I have one question

    The expiry time it shows, in which time zone is it, central time ? or the time zone set on the server ?

    Reply
    • Avatar photo

      It’s pulling the time value from the user account on the server.

      Reply
  25. Thanks for sharing 🙂
    Do you know how can i extend the password expiration date by 6 months for all users on AD ?

    Reply
  26. I’m still having trouble getting it to sort by date. It’ll sort alphabetically when I do a sort-object, but expiry just puts them in a random order each time, even though the command runs. Any suggestions?

    Reply
  27. How do you get it to export? It keeps asking for inputobject in method 2 after adding Export-Csv -Path

    Reply
  28. Is there a way to display the date in chronological order? I’m getting the expiration date report but not in order by date. Thank you in advance.

    Reply
    • Avatar photo

      Yes. Use the sort-object cmdlet.

      get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort-object passwordlastset

      Reply
  29. Hi!
    How Can I get the Logon Name if I only have the display name?
    Thank you in advance.

    Reply
    • Avatar photo

      You can find the logon name in Active Directory Users and Computers.

      Reply
  30. Nice, trying to filter on “ExpiryDate” but can’t get that work.
    usecase: I want to generate a file of users which have a password experation 5, 4, 3, 2 or 1 day from now.

    Reply
  31. It’s a nice script, but we have so many users that I like to do the following:

    -Filter to only show users with password expriring within 7 days from today (we have fine-grained password policies)
    -Output as JSON (on console)

    For me, that is quite hard to do, for you guys not I guess, can you show me how ?

    Reply
  32. How is it possible to check expiracy for group of users. So instead of either all or just 1 user – i would like to check like user1, user 2 and user 3 – instead of have check one at a time

    Reply
  33. İt worked for me Thank you for your work

    Reply
  34. Hi Robert,

    I want to reset passwordlast set date for a list of users. Any idea how I can achieve this?

    Thanks!

    Reply
    • Avatar photo

      I don’t think that is possible.

      Reply
  35. Hi Robert.
    Great script very helpful, I could not see if this question has been asked/answered already however, is there a way to target a AD group using method 1 to get a specific group such as Net user “group-name” /domain to pull a list of all users from that group with their password expiry dates?

    Kind regards

    Reply
  36. Is there any way in which we can ask users to reset the password. The AD is configured in the VM and LDAP is setup within the VM. We wanted to make it simple for the users by providing the link in email where one user can go and re-set the AD Password. Can you please provide the out of the box url or confirm if i need to write the code to the same.

    Reply
    • Avatar photo

      There is no out of the box URL for resetting passwords, you would need a 3rd party solution. On a windows computer, users can change their own password by using control-alt-delete and then selecting change password.

      Reply
  37. When I run Method #1 I get for most of the users null passworddlastset and Passworddneverexpires as it seems it doesn’t find the field in table {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}
    or it will return date 01/01/01601
    but it does return an expiration date when running the Net User command
    Is there another field name we can query

    Reply
    • Avatar photo

      Double check your command syntax. In your comment the attributes are spelled wrong.

      get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

      Reply

Leave a Comment