Skip to content

How to Get AD Users Password Expiration Date

By Robert Allen | July 6, 2018 |

In this guide, I’ll show you how to get the password expiration date for Active Directory User Accounts.

This is very easy to do.

I will provide a few examples that go over how to get this information for a single user and how to get the expiration date for all AD users.

Check it out.

Method 1: Using Net User command to Display User Expiration Date

This first method uses the net user command that is built into windows. This command is used to add, remove and make changes to user and computer accounts.

To determine when the password will expire for a single account open the command prompt and type the following command:

Net user USERNAME /domain

In the below screenshot is an example for the user mfoster.

In addition to displaying the password expires date it also provides other useful information such as password last set, when the password can be changed, if the account is active and so on.

That is it for method 1.

RECOMMENDED: SOLARWIND ADMIN BUNDLE (FREE TOOL)

This is a bundle of 3 FREE Tools for Active Directory.

  • Bulk import users tool
  • Inactive Computer Account Removal Tool
  • Inactive User Account Removal Tool

Simplify administration and keep Active Directory secure with this trio of FREE tools.

Download Your FREE Copy of SolarWinds Admin Bundle

Method 2: Using PowerShell To List All Users Password Expiration Date

To query user information with PowerShell you will need to have the AD module installed. If you have the RSAT tools loaded then you are good to go.

To find the date the password was last set, run this command.

get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

In the screenshot below you can see it returns all users, password last set date and if the password never expires.

To display the expiration date rather than the password last set date, use this command.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Above command https://blogs.technet.microsoft.com/poshchap/2014/02/21/one-liner-get-a-list-of-ad-users-password-expiry-dates/and source:

To export any of the PowerShell results to a CSV just add | export-csv FILEPATH to the end.

I told you this was going to be easy. The PowerShell commands you can literally copy and past and they should work in your environment.  The Net User command just requires you to enter in an AD user account to query.

Related: Find all Locked User Accounts

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

Posted in Active Directory Domain Servers

4 Comments

  1. Eugene on July 20, 2019 at 6:35 am

    Found your “Method two” very useful, thanks for publishing!

    Reply
    • Robert Allen on July 20, 2019 at 6:22 pm

      Awesome ❗ ❗

      Reply
  2. Goran on July 31, 2019 at 1:49 pm

    Nice tips! 🙂

    Reply
  3. Bill G on August 29, 2019 at 11:18 am

    EXCELLENT = Do you know how to filter by a date ?
    say passwordlastset > today-2

    Reply

Leave a Comment