Find Password Expiration for Active Directory Users

Active Directory runs on Windows Server, so if you know how to run a few commands at the Windows Command Prompt, you can quickly get behind the scenes and run off a list of expiration dates for user accounts in AD. There are several straightforward commands that you can use and also a PowerShell routine.

After examining how to get this information yourself, we will also look at a couple of applicable third-party software packages that can give you information about account expiry dates in Active Directory.

About Password Expiration in Active Directory

Before looking at how to extract password expiration dates from Active Directory, it is worth noting what that factor means. When the password expiration date is reached, the account isn’t blocked. Instead, the user is prompted to enter a new password.

The password expiration date enforces password rotation policies, so it is not a bad thing. Users will still access their accounts, but they will just have to reset their passwords. Therefore, don’t panic if you see that many accounts have a password expiration date coming up – there is nothing that you need to do about it. Just let the users get prompted for a new password.

Looking for password expiration dates

To get a list of AD user password expiration dates, open a Command Prompt window. You can do this in several ways. One is to press the Windows key and R together, entering cmd in the Run box that appears, and then hitting RETURN or pressing the OK button. You can also get the Command Prompt window by entering Command in the Start menu search field and selecting the Command Prompt from the results list.

You should use the net user utility to see the password expiration date for a user. The format of this command is:

NET USER
[username [password | *] [options]] [/DOMAIN]
username {password | *} /ADD [options] [/DOMAIN]
username [/DELETE] [/DOMAIN]
username [/TIMES:{times | ALL}]
username [/ACTIVE: {YES | NO}]

Here is an example run of this utility. In this case, the command fetches details about the user Test01 on the local domain.

The password expiration date is shown on the ninth line of the report on the user account and is labeled Password expires.

Use PowerShell to get a list of AD user account expiry dates

The net user just calls the details of one user account. To extract a list of all account expiry dates, you will need to use PowerShell. You need to be sure that you have the supporting PowerShell AD libraries available before running your search for user password expiry dates.

The Active Directory PowerShell Module is pre-installed on Windows Server. If you are running this search on Windows 10, you need to access the page about these PowerShell routines at Microsoft. You will also need to install the Remote Server Administration Tools for Windows 10.

Open a PowerShell window by pressing the Windows key and R together to get the Run box, entering powershell, and then hitting RETURN or clicking the OK button. Alternatively, you can enter powershell in the Start search field and selecting PowerShell from the results.

Get the password expiration date for one user with the PowerShell code:

Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed'

You would need to enter a user ID instead of the token UserName shown in the code above. You can format the output by piping the results through to a SELECT statement:

SELECT Name, {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}

Giving a total command of:

Get-ADUser -Identity UserName -Properties msDS-UserPasswordExpiryTimeComputed).'msDS-UserPasswordExpiryTimeComputed' |
SELECT Name, {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}

An alteration to this command will give you all users registered within your Active Directory instance.

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

This code will display the output to the screen. If you need the output to a file, you should just pipe the results of the code.

Utilities to get Active Directory user information

If you don’t want to create your code to get the expiration dates for AD users, you can install an Active Directory management tool instead. The password expiration date is one of the attributes that these utilities will give you.

What should you look for in an Active Directory management tool? 

We reviewed the market for tools that will get you the user password expiration dated from AD and analyzed the options based on the following criteria:

  • A system with a GUI interface that presents AD contents in an acceptable format
  • A service that can show a range of user account attributes
  • A manager that will show the user groups and user group membership from AD
  • Nice to have an interface to update values in AD
  • A monitoring system that warns of replication errors
  • A free tool or a system that offers a free trial for a no-cost assessment
  • A paid tool that provides value for money or a free tool that is worth installing

Given that Active Directory is only available for Windows systems, we looked for packages to access Windows or Windows Server. In addition, systems that can access the Azure AD service were also of interest.

Here is our list of the four best tools to find password expiration for Active Directory users:

  1. SolarWinds Access Rights Manager EDITOR’S CHOICE A comprehensive Active Directory management system is particularly essential for businesses that need to prove compliance to a data protection standard. Analyze permissions structures as well as administering them with this on-site software package for Windows Server.
  2. SolarWinds Permissions Analyzer for Active Directory (FREE TOOL) A free tool that creates search paths through all of the data held in your Active Directory implementations. This tool installs on Windows Server.
  3. Lepide Data Security Platform This cloud-based service offers a range of security enforcement tools, including the Password Manager, that is able to list and supervise password expiry dates for both on-site and cloud-located assets.
  4. ManageEngine ADManager Plus this tool acts as a front-end for Active Directory and enables you to plan and organize user account features. Available in free and paid editions and offered for download on Windows or as a cloud service.

You can read more about each of these options in the following sections.

1. SolarWinds Access Rights Manager (FREE TRIAL)

SolarWinds Access Rights Manager Accounts

SolarWinds is the world’s leading system monitoring tools provider, so it is no surprise that we’ve put two systems from this software house on our list. The first of these, the Access Rights Manager, provides a complete view of all of your AD implementations.

The Access Rights Manager can monitor all AD instances in one dashboard. It allows you to analyze the access rights structure of your business and coordinate it across sites and applications. You can tighten up user groups and their rights through this system – that’s an essential task if you want to implement data loss prevention controls on sensitive data.

The system lets you search through user account data and discover factors such as password expiration dates. It also allows you to update values individually or in bulk.

The Access Rights Manager is your best choice if you need to reorganize your AD system and keep on top of user activity. However, this is a high-end system rather than a quick tool to extract user account expiration dates. In addition, the system can audit and report for data privacy standards compliance.

SolarWinds, Access Rights Manager, installs on Windows Server, and you can get it on a 30-day free trial.

Pros:

  • Complete visibility for multiple AD domains simultaneously
  • Analyzer for permissions structure
  • Search facility for specific fields
  • Compliance auditing and reporting
  • Installs on site

Cons:

  • Too big and expensive if you just want a quick search facility

EDITOR’S CHOICE

SolarWinds, Access Rights Manager, is our top pick for a user account management system because it offers system administrators full support to get control over Active Directory implementations. Access rights management lies at the core of your system security strategy. If you don’t have your permissions structure locked down, your system is vulnerable to intrusion and malware attacks. Audit and report for data privacy standards easily through the automated activity tracking systems in this package.

Get a 30-day free trial: https://www.solarwinds.com/access-rights-manager/registration

Operating system: Windows Server

2. SolarWinds Permissions Analyzer for Active Directory (FREE TOOL)

SolarWinds Permissions Analyzer for Active Directory Best Active Directory Tools

In contrast to the paid SolarWinds package on this list, the Permissions Analyzer for Active Directory is ideal for those who just want to get to specific values held in Active Directory. This utility provides a way to search through all accounts and device permissions to get critical information quickly.

An example of the type of query you might want to run in this helpful tool would be a list of user account expiration dates. Then, sort, group, and filter AD records to find compelling information in a hurry.

Pros:

  • Fast search utility
  • Useful for ad-hoc queries
  • Costs nothing

Cons:

  • No AD management features

The SolarWinds Permissions Analyzer for Active Directory runs on Windows Server, and you can download it for free.

SolarWinds Permissions Analyzer for Active Directory Download 100% FREE Tool

3. Lepide Data Security Platform

Lepide Data Security Platform

Lepide Data Security Platform is a SaaS system that offers several security protection services and includes a Password Manager. This service can explore data in Active Directory and display single factors. One of those focuses is on password expiration dates.

The issue of password expiration dates in AD is not just one of knowing when users will be told to reset their passwords. For example, you might have taken over a system from an administrator who prioritized ease of management over security. In such a case, many, or even all, accounts in AD may have passwords that never expire. An effective way to implement that is to set expiry dates so far into the future that they never become an issue. Lepide helps you identify this error, and you can use the interface to adjust expiry dates so that they follow a meaningful password rotation policy.

Lepide Data Security Platform is resident in the cloud, and it can cover applications that are based in the cloud and services that you have operating on your site. Password management activity in Lepide Data Security Platform extends to databases and productivity suites and general system access.

Pros:

  • Covers access rights for a range of applications
  • Includes analyzers for password expiration dates
  • Offers a range of tools to manage user accounts

Cons:

  • It would be nice to have a longer free trial period.

You can access a 15-day free trial of Lepide Data Security Platform to assess its password management tools for yourself.

4. ManageEngine ADManager Plus

ManageEngine ADManager Plus user delegation

ManageEngine ADManager Plus gives you extra user account management and reporting functions that you just don’t get from the regular AD interface. This is an essential tool for those who need to comply with data privacy standards because it will audit your user accounts and generate all of the reports you need for compliance.

The tool unifies the management of account information for a typical Microsoft environment because it can control AD instances for Microsoft 365, SharePoint, Microsoft Exchange, and general system access domains. In addition, the tool includes account analysis functions that will spot abandoned accounts and show you password expiry dates.

This system offers a rules base for account creation, automatically imposing the access controls needed by any data privacy standard. You can set up a standard control policy and then roll that out to all of your domains and ensure that those standards create all future user accounts.

ManageEngine ADManager Plus installs on Windows and Windows Server, and it is also possible to add it as a service to your Azure or AWS account.

Pros:

  • Complete control over all AD instances
  • Standards compliance reporting
  • On-site and cloud deployment options

Cons:

  • It doesn’t cover any other access rights management systems apart from AD.

There is a Free version of the tool, which is limited to managing 100 objects in AD. The paid version is offered in two editions, which are available on a 30-day free trial.