In this guide, I’ll show you how to get the password expiration date for Active Directory User Accounts.

This is very easy to do.

I will provide a few examples that go over how to get this information for a single user and how to get the expiration date for all AD users.

Check it out.

Method 1: Using Net User command to Display User Expiration Date

This first method uses the net user command that is built into windows. This command is used to add, remove and make changes to user and computer accounts.

To determine when the password will expire for a single account open the command prompt and type the following command:

Net user USERNAME /domain

In the below screenshot is an example for the user mfoster.

In addition to displaying the password expires date it also provides other useful information such as password last set, when the password can be changed, if the account is active and so on.

That is it for method 1.

RECOMMENDED: SOLARWIND ADMIN BUNDLE (FREE TOOL)

This is a bundle of 3 FREE Tools for Active Directory.

  • Bulk import users tool
  • Inactive Computer Account Removal Tool
  • Inactive User Account Removal Tool

Simplify administration and keep Active Directory secure with this trio of FREE tools.

Download Your FREE Copy of SolarWinds Admin Bundle

Method 2: Using PowerShell To List All Users Password Expiration Date

To query user information with PowerShell you will need to have the AD module installed. If you have the RSAT tools loaded then you are good to go.

To find the date the password was last set, run this command.

get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

In the screenshot below you can see it returns all users, password last set date and if the password never expires.

To display the expiration date rather than the password last set date, use this command.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Above command https://blogs.technet.microsoft.com/poshchap/2014/02/21/one-liner-get-a-list-of-ad-users-password-expiry-dates/and source:

To export any of the PowerShell results to a CSV just add | export-csv FILEPATH to the end.

I told you this was going to be easy. The PowerShell commands you can literally copy and past and they should work in your environment.  The Net User command just requires you to enter in an AD user account to query.

You Might Also Like…

Recommended Tool: SolarWinds Server & Application Monitor

This utility was designed to Monitor Active Directory and other critical services like DNS & DHCP. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial Here

50 Comments

  1. Mike on February 15, 2019 at 12:08 am

    So I have a separate OU users in a different user that I want to see when there password expires.
    Were would I make the change for this with in a domain tree?

  2. TrixM on April 3, 2019 at 3:45 am

    The second method is more accurate if you have Fine-grained Password Policies enabled in the domain.

    Net Use only shows the result from the Default Domain Policy.

    • Robert Allen on January 1, 2021 at 8:31 pm

      Good Tip. Thanks for the comment.

  3. Eugene on July 20, 2019 at 6:35 am

    Found your “Method two” very useful, thanks for publishing!

    • Robert Allen on July 20, 2019 at 6:22 pm

      Awesome ❗ ❗

  4. Goran on July 31, 2019 at 1:49 pm

    Nice tips! 🙂

  5. Veeramani Gopal on August 22, 2019 at 6:12 am

    How to get especially service account password expire date.

  6. Bill G on August 29, 2019 at 11:18 am

    EXCELLENT = Do you know how to filter by a date ?
    say passwordlastset > today-2

    • Richard Poole on March 25, 2020 at 11:50 am

      Add
      Sort-Object -property ExpiryDate

    • Adam Johnson on May 14, 2020 at 3:46 pm

      $dayb4yesterday = (get-date).AddDays(-2)
      get-aduser -filter {passwordlastset -gt $dayb4yesterday}

  7. Harvey Gee on December 10, 2019 at 3:51 pm

    Is there a field like Enabled that we can use to filter out this where this isn’t set for the user that shows up “12/31/1600 7:00:00 PM”.

    • Robert Allen on December 26, 2019 at 2:30 pm

      Yes use the below code to return just the enabled users

      get-aduser -filter {Enabled -eq $TRUE} -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

  8. Michele on January 24, 2020 at 12:38 pm

    Grazie!

  9. Genesis Wong on March 5, 2020 at 1:32 am

    Hi, how do I query if the password change was successful through powershell?
    thanks for this site by the way, it helped guide me quite alot! 🙂

  10. Gregor Y on March 10, 2020 at 8:34 pm

    Something useful from Method 1:

    $m=’Password expires’;($MyExp = net user $env:USERNAME /domain | %{if($_ -match $m){get-date ($_ -replace $m,”).trim()}});rv m;

  11. Suellen on April 2, 2020 at 2:21 pm

    Great! It was really helpfull!!

  12. Jim on April 3, 2020 at 2:53 pm

    Nice set of commands/scripts, very helpful!

    • Robert Allen on April 11, 2020 at 4:30 pm

      Thank Jim

  13. Nandha on April 23, 2020 at 11:20 am

    Timely help! Many thanks.

  14. Mark B on April 29, 2020 at 1:03 pm

    If there are multiple OU’s and you want to find the expiring passwords for a specific OU, how would you do that? I’m guessing with ‘-searhbase’, but not sure how. – Thanks

  15. wondering on May 1, 2020 at 3:32 pm

    how about specifying the user name in your step 2 query?

    • Robert Allen on January 1, 2021 at 8:07 pm

      Here is an example for a specific user

      get-aduser -Identity Alonso.Hall -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

  16. Sam on May 4, 2020 at 11:54 am

    Nice trick but how about to get user properties from different domain?

    • Robert Allen on November 7, 2020 at 10:53 pm

      Use the -server to specify the domain server instance

      Get-ADUser -Filter “Name -eq ‘ChewDavid'” -SearchBase “DC=AppNC” -Properties “mail” -Server lds.Fabrikam.com

  17. Ron on May 4, 2020 at 6:40 pm

    Method #1 is great. Thanks!!

  18. Chandru on May 6, 2020 at 12:33 am

    Hi

    I need Only OU level

    • Robert Allen on May 22, 2020 at 3:03 pm

      You can target an OU by using the -searchbase and the DN of the OU.

      Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"

      • Lucas Chalita on September 22, 2020 at 8:12 pm

        Hey robert should I put this command in the line with getaduser after the filter parameters?

        • Robert Allen on November 7, 2020 at 3:37 pm

          Hi Lucas,

          I’m not sure what you are asking.

  19. Chad Taylor on June 4, 2020 at 4:19 pm

    I seem to be having an issue using the -searchbase in the Method-2 above. I keep getting a message ” A parameter cannot be found that matches parameter name ‘SearchBase’. ” Is this possibly a location issue where I am not putting it in the correct location within the Method-2 command?

  20. Jaciel Diaz on July 15, 2020 at 3:35 pm

    In method 2, is there a way to get the expiring users in the next seven days?

    • Ambrose on September 9, 2020 at 6:07 pm

      I am looking for a way to do this as well. I am trying to compile a list of users and when their passwords will expire.

  21. Israel De Leon on July 15, 2020 at 7:15 pm

    Can you do this without using Get-ADUser?

  22. iq on July 29, 2020 at 1:54 pm

    I am using the following commandlet to get the list of last password set and then using a variable to get the value and add -365 to it, however this variable is not getting populated.
    I can see the commandlet work and output values but the variable I am using $PWdLastSet.passwordlastset is not getting any value, am I doing something wrong ?

    $PWdLastSet = get-aduser -filter * -properties passwordlastset, passwordneverexpires -SearchBase “OU=Service Accounts,OU=SG1,OU=AT,DC=wt,DC=ad,DC=cit,DC=cc” |ft Name, passwordlastset, Passwordneverexpires

    $expiredDate = $PWdLastSet.passwordlastset.addDays(-365)

  23. Ryan F. on August 3, 2020 at 5:26 pm

    Can you specify a specific user?

    • Robert Allen on September 20, 2020 at 1:39 pm

      Yes. just use -identity USERNAME. Here is an example

      get-aduser -identity robert.allen -properties passwordlastset, passwordneverexpires | select Name, passwordlastset, Passwordneverexpires

    • Ray on October 6, 2020 at 10:10 pm

      Get-ADUser Ryan

  24. S Karthik on October 4, 2020 at 9:02 am

    Thanks for sharing this, its helpful.
    Is it possible to trim the expiration date..? Just want the date, without time. if so, can you please help with that..?

  25. Pankaj Sharma on October 20, 2020 at 6:43 am

    Thanks for sharing this stuff. I have one question

    The expiry time it shows, in which time zone is it, central time ? or the time zone set on the server ?

    • Robert Allen on November 7, 2020 at 3:27 pm

      It’s pulling the time value from the user account on the server.

  26. seyf on November 12, 2020 at 6:14 pm

    Thanks for sharing 🙂
    Do you know how can i extend the password expiration date by 6 months for all users on AD ?

  27. Josh on November 12, 2020 at 7:27 pm

    I’m still having trouble getting it to sort by date. It’ll sort alphabetically when I do a sort-object, but expiry just puts them in a random order each time, even though the command runs. Any suggestions?

  28. ADUser on November 30, 2020 at 4:32 pm

    How do you get it to export? It keeps asking for inputobject in method 2 after adding Export-Csv -Path

  29. Rico on December 4, 2020 at 4:19 pm

    Is there a way to display the date in chronological order? I’m getting the expiration date report but not in order by date. Thank you in advance.

    • Robert Allen on December 12, 2020 at 3:10 pm

      Yes. Use the sort-object cmdlet.

      get-aduser -filter * -properties passwordlastset, passwordneverexpires | sort-object passwordlastset

  30. Gavo on January 1, 2021 at 7:17 pm

    Hi!
    How Can I get the Logon Name if I only have the display name?
    Thank you in advance.

    • Robert Allen on January 1, 2021 at 8:01 pm

      You can find the logon name in Active Directory Users and Computers.

  31. Vincent on January 11, 2021 at 10:01 pm

    Nice, trying to filter on “ExpiryDate” but can’t get that work.
    usecase: I want to generate a file of users which have a password experation 5, 4, 3, 2 or 1 day from now.

  32. Peder on February 4, 2021 at 10:04 am

    How is it possible to check expiracy for group of users. So instead of either all or just 1 user – i would like to check like user1, user 2 and user 3 – instead of have check one at a time

Leave a Comment