Find Password Expiration for Active Directory User

by Lavanya Rath - Last Updated: November 15, 2021

Find Password Expiration for Active Directory User

Active Directory is one of the most popular ways to handle user-related activities within an organization, including adding new employees, authentication, streamlining access to apps, deletion of past employee records, modifying access, and more.

While handling these varied aspects of user management, network administrators may also face some issues or inconveniences. Though they are a part of the tool to provide an additional security layer or streamline authentication, they can still require extra effort from the administrators.

One such issue is password expiration.

What is Password Expiration?

Users are prompted to change their passwords once every few days, depending on the organization’s security policies. For example, some organizations may require users to change their passwords once every 14 days, but others may provide a longer time, say 90 days.

This password change is essential from a security standpoint to prevent hackers from gaining access to the corporate network through a compromised password.

How is Password Expiration Handled in Active Directory?

In Active Directory, the account will not be locked if a user’s password expires. Instead, the user will be prompted to change the password, and the new one must follow the password rules established by the organization based on its security policies.

Without changing the password, users will not be given access to the resources within the organization, thereby forcing them to effect the change.

The domain policy of an organization has two fields called Minimum and Maximum. As you have guessed, this represents the minimum and the maximum number of days respectively that a password can be used. Often, the minimum is one day, while the maximum can be any number, depending on the organization’s security policy and encryption methods.

From a user’s standpoint, this can cause inconvenience. Imagine when a user is in a hurry and wants to access a vital resource; the last thing they would like is a password change!

To avoid such scenarios, some companies proactively have an automated setup that informs users a day or week (depending on the configuration) before the password expires, so the same can be changed at one’s convenience.

Identifying the Password Expiration Date for a Single User

The first step to informing users is to know the password expiration date, and this can be found easily using a built-in Windows command called Net user. This command comes in handy to add, remove, or even make access and privilege changes to user and computer accounts.

The command is:

Net user username/domain

It also provides additional details such as the last password, status of the account, date of password change, group membership, and all other pertinent information about a user in a specific domain.

You can use the following parameters or switches to get the required information.

  • Username Gets the user account that can be further used for addition, deletion, and modification
  • Password Assigns a password to a specific user account
  • Domain You can perform the required actions on a domain
  • Add Allows you to add a user account
  • Delete Removes a user account
  • Active (YES | NO) Activates or deactivates a user account
  • Comment (text) Adds a description about the user account
  • Countrycode (nnn) Adds a country code to a user account
  • Expires (Date | Never) Allows you to determine when an account must expire. If you choose a date, it has to be in mm/dd/yy or mm/dd/yyyy format
  • Fullname (name) Allows you to add a full name to a user account. Make sure to enclose the full name in quotes.
  • Homedir (pathname) Sets the user’s home directory path
  • Passwordchg (Yes | No) Specifies whether the user can change their password
  • Passwordreq (Yes | No) Specifies whether the user requires a password or not

The image below gives a glimpse of how these options can be used.

Identifying the Password Expiration Date for all AD Users

In the real world, you are more likely to see the password expiration date for all AD users, or instead write a script that will get this information and send reminder emails to users accordingly.

There are many ways to get this information. For example, you can use built-in RSAT tools or the PowerShell command for the same.

If you decide to use PowerShell, this command can get you the password expiration date for all AD users.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

This command will display the password expiration date for all the users in your domain, and you can send it to a script for further processing. Alternatively, you can also export these details to a CSV file with this code snippet.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | export-csv FILEPATH Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Thus, this is how you manually find the password expiration dates for one or all users in your AD domain and process it the way you want.

Tools and Utilities

Though PowerShell commands are commonly used, they are not the most intuitive ways to get the information you need. In addition, it becomes even more challenging for people who are not tech-savvy and are not used to command prompts.

The good news is there are alternatives in the form of third-party tools, so we’ll talk about some of the more popular ones to give you an idea of what they can do for you.

Here is our list of the best methods to find password expiration for Active Directory user:

  1. SolarWinds Admin Bundle for Active Directory – FREE TOOL This suite of tools is designed to help manage your Active Directory and its users through a well-designed user interface.
  2. Lepide Data Security Platform This tool has password management capabilities to send automated expiration reminders to users.
  3. ManageEngine’s Password Expiration Notifier Tool Ηelps you notify an unlimited number of users about password change and account status.

Here’s a deep dive into these tools.

1. SolarWinds Admin Bundle for Active Directory – FREE TOOL

SolarWinds Admin Bundle for Active Directory

SolarWinds Admin Bundle for Active Directory is a suite of tools that help manage your Active Directory, including adding, modifying, and deleting users through a simple user interface.

It consists of three tools: Inactive User Account Removal Tool, Inactive Computer Removal Tool, and the User Import Tool.

Features

The features of SolarWinds Admin Bundle for Active Directory are:

  • Supports monitoring across multiple vendors
  • Allows you to customize your AD’s topology to meet business changes
  • Helps to automate and plan your capacity and the required resources
  • Generates dynamic network maps
  • Captures packets for further analysis
  • Makes it easy to remove inactive users and computers
  • Enables to import users from other systems or directories to AD

Let’s now briefly talk about using each of the three tools.

Using the Inactive User Account Removal Tool

Here’s how you can use this tool to deactivate user accounts.

  • Open the tool, and on the dashboard (the default tab), you’ll find the Domain Controller, Username, and Password details.
  • Click the “Test Connection” button, and it will tell you if the details you entered passed the credentials test. If yes, click the “Next” button at the right-hand bottom.
  • The next page will display all the inactive accounts in your system for a specific period. You can set this date, or you can even search for detailed user accounts.
  • You can select the accounts you want to remove and click the “Remove” button at the bottom of the page.
  • If you want to export these details for reference, select the accounts and click the “Export” button at the bottom. In the pop-up, choose the fields you want to export and the file’s name and path. If the file you mentioned doesn’t exist, a new file is automatically created.

Using the Inactive Computer Account Removal Tool

The interface and details are precisely similar to the user account removal tool, except that the list of values you see will be computer and not user accounts. Follow the exact procedure to remove or export computer accounts.

Import Users and Enter Credential Information

As the name suggests, this tool allows you to import users.

  • On the default tab of the tool, you’ll see your credentials. Above it, you’ll see an option to import users from a CSV file that contains a user’s information such as username, email address, designation, phone number, or just about any other field you want to populate on your AD.
  • You can choose to create only an AD account or an AD account and an Exchange mailbox. Click the “Next” button at the right-hand bottom
  • On the next page, map the custom fields from your CSV file to the fields in your AD. You also can add custom fields to your AD to match the details you have on the file.
  • Click “Next,” and you’ll see a display of all the user accounts that you’re importing. You can make changes or even deselect the values. Once you’re happy with what you see, click the “Create” button at the right-hand bottom, and new users are added to your AD.

Thus, these are the three tools that come as a part of the SolarWinds Admin Bundle for AD. As you can use, it is much easier and quicker to use this tool than creating custom scripts or navigating your way through a bunch of commands on the command prompt or PowerShell console.

Pricing: This tool is 100% FREE.

Download: Click here to download and start using this tool.

Download Button

2. Lepide Data Security Platform

Lepide Data Security-Platform

Lepide Data Security Platform is a comprehensive tool for streamlining access and managing passwords. It also provides comprehensive organization-wide insights and helps to stay on top of security vulnerabilities.

Features

The features of Lepide Data Security Platform are:

  • Allows you to have users with passwords that never expire. Also, it generates reports of such users to reduce the possibility of an insider or outsider attack
  • Automates the process of sending password reminders, so your IT team can focus on other areas of work
  • Sends follow-up notifications if users fail to change their password
  • Works well on cloud, on-prem, and hybrid environments
  • Generates comprehensive reports about any aspect of user management and passwords within seconds. The pre-defined templates of this tool quicken this process as well
  • These reports can be emailed to the concerned people or can be exported to a variety of formats
  • Audits changes and reports anomalies
  • Tracks the changes made to critical assets
  • Comes with hundreds of threat models designed to mimic a wide range of real-time threats, so the same can be mitigated at the earliest
  • Spots excessive permissions to user accounts
  • Governs data access, including who has access to sensitive and classified data
  • Removes false positivity with its proximity scanning technology

Pricing: Click here to request a quote.

Download: Click here for a 15-day free trial.

3. ManageEngine’s Password Expiration Notifier Tool

ManageEngine's Password Expiration Notifier Tool

The Password Expiration Notifier Tool from ManageEngine is a part of the ADSelfService Plus suite, and it sends automated notifications to users about password expiration and account status changes.

Features

The features of ManageEngine’s Password Expiration Notifier Tool are:

  • Sends notifications via email and SMS
  • Notifies users based on OUs and groups
  • Generates customizable email templates with attachment options
  • Admins can determine when notifications must be sent
  • Allows you to create a separate password policy for certain employees, especially those in the higher ranks
  • Notifies not just employees but also their managers for extra accountability
  • Generates reports related to password changes and account statuses.

Pricing: 100% FREE.

Download: Click here to download this tool.

Conclusion

To conclude, changing passwords is considered a good security practice as it reduces the chances of a hacker entering a network through a compromised password. However, from an implementation standpoint, it can get arduous and cumbersome for network administrators.

While PowerShell commands help identify the password expiration for a single or all users on AD, it requires technical expertise, besides a reasonable amount of time and effort.

An easier option is to use third-party tools like SolarWinds Admin Bundle for Active Directory, as you can manage user accounts, set up automated password reminders, and more through its intuitive user interface.