How to Find Expired User Accounts in Active Directory

While finding expired accounts across the domain is essential, it is equally necessary to check specific OUs. Temporary staff, such as project-based staff or seasonal workers located in same OU, often have accounts with set expiration dates. If not reviewed, these accounts may expire unexpectedly and disrupt access. Regularly monitoring expired accounts in such OUs helps to ensure continuous access and a smooth transition for temporary users.

Find expired user accounts in a specific OU using ADUC

• In Active Directory Users and Computers (ADUC), select the Saved Queries that shows all the expired accounts.
• Right-click the query and choose Edit.
• In the Edit Query window, click Browse next to Query Root, select the required OU, and click OK to save OU in query root.
• Select OK again to save the query settings. Then, select the query and click Refresh ⟳ in tool bar to list all expired accounts from the chosen OU.

Identify expired AD user accounts in a specific OU using PowerShell

In ADUC, you must check each expired account individually to see the expiration date and enabled status. Meanwhile, PowerShell shows this for all accounts at once.

Run the following cmdlet after replacing <OUName> with OU name to get the expired accounts from that specific OU in Active Directory.

Search-ADAccount -UsersOnly -AccountExpired -SearchBase ((Get-ADOrganizationalUnit -Filter "Name -eq '<OUName>'").DistinguishedName) | Select-Object Name, SamAccountName, AccountExpirationDate, Enabled 

• With AdminDroid's Account Expired Users report, you can use the tree view to select the specific OU and instantly view all the expired accounts within it.
• Additionally, the chart view displays expired accounts by status, department, job title, and more.
• This feature allows for quick analysis and effective account management.

Consider a situation where the security team finds that several user accounts in Active Directory have passed their expiry date but are still enabled. In a purely on-premises environment, this might not seem critical. However, in a hybrid setup, it becomes a security risk because the account expiry attribute is not synchronized to Microsoft Entra ID. This means that even though the account has expired in on-prem AD, the user can still sign in to Microsoft 365 and access cloud resources without interruption.

To prevent unauthorized access, it is important to disable expired accounts in Active Directory, rather than relying solely on expiration, especially in a hybrid environment.

Steps to disable expired user accounts using ADUC

• Firstly, select the saved query you defined earlier in the Active Directory Users and Computers console to list all expired accounts.
• Next, choose specific user account(s) or select all expired user accounts in the list.
• Then, right click and choose Disable Account to disable the selected expired accounts in Active Directory.

Disable all expired Active Directory users using PowerShell

While the above method requires performing the steps manually through multiple navigations, PowerShell offers a more efficient way.

$ExpiredEnabledAccounts = Search-ADAccount -AccountExpired | Where-Object { $_.Enabled -eq $true }   
if (-not $ExpiredEnabledAccounts) { 
    Write-Host "No enabled accounts found that are expired." -ForegroundColor Cyan 
    return 
} 
foreach ($User in $ExpiredEnabledAccounts) { 
    $Account = $User.SamAccountName   
    do { 
        $Confirm = Read-Host "Do you want to disable the account for '$Account'? (Y/N)" 
        if ($Confirm -notmatch '^[YyNn]$') { 
            Write-Host "Invalid input. Please enter 'Y' to disable or 'N' to skip." -ForegroundColor Yellow 
        } 
    } while ($Confirm -notmatch '^[YyNn]$') 
    if ($Confirm -match '^[Yy]$') { 
        Disable-ADAccount -Identity $User 
        Write-Host "Account '$Account' has been successfully disabled." -ForegroundColor Green 
    } 
    else { 
        Write-Host "Action skipped for account: $Account" -ForegroundColor Red 
    } 
} 

The script checks which expired accounts are still active. For each account, it asks for your confirmation to disable it, and after you respond, it immediately displays that account’s updated status.

Organizations often maintain accounts for temporary staff, contractors, or seasonal workers in a specific OU with predefined expiry dates. When their employment period extends, administrators need to update these expiry dates to prevent premature account expiry. Modifying expiry dates in bulk for all users in an OU ensures uninterrupted access for active users and streamlines account management tasks.

Change user account expiry dates in a specific OU using ADUC

• In ADUC, navigate to the respective OU where you need to change the account expiration.
• Select all the user accounts, then right-click and choose Properties.
• Then, switch to Account tab, enable Account expires checkbox and select the End of: option.
• Choose the desired expiry date, then click Apply and OK to save the changes.

Update the account expiry dates for users in a specific OU using PowerShell

Execute the following cmdlet after replacing <OUName> with the respective OU name and <YYYY-MM-DD> with the desired expiration date for all users in that OU.

Get-ADUser -Filter * -SearchBase (Get-ADOrganizationalUnit -Filter "Name -eq '<OUName>'" | Select-Object -ExpandProperty DistinguishedName) | Set-ADAccountExpiration -DateTime (Get-Date -Date "<YYYY-MM-DD>") 

• Without switching to a different view, you can modify account expiration dates directly from the same Account Expired Users report.
• Select the OU, check the box next to the user’s display name.
• Then, choose the Set Account Expiry to update the expiration date or set it to Never Expires and save your changes.

When user account management is handled by multiple admins, expiry dates may be altered due to contract renewals or project extensions. Without proper tracking, this can lead to unauthorized access, non-compliance, lack of accountability, and security gaps in Active Directory. Therefore, admins need to monitor changes in account expiry to prevent operational disruptions.

Audit who modified the user account expiry dates using Event Viewer

Make sure to enable the Audit User Account Management policy in the GPMC and perform the steps below.

Note: You must review the Security logs on all domain controllers, as account modifications are recorded only on the domain controller that processed the change.

Detect users who changed account expiry dates in Active Directory using PowerShell

While the above method requires manually checking each event, PowerShell efficiently tracks who changed account expiry dates by querying security logs.

Run the following PowerShell cmdlet on a domain controller to view all events where the account expiry date was changed.

Get-WinEvent -FilterHashtable @{LogName = 'Security'; ID = 4738} |
Where-Object {
    $_.Message -match "Changed Attributes" -and
    $_.Message -match "Account Expires" -and
    $_.Message -notmatch "Account Expires:\s*-|Account Expires:\s*$"
} |
Select-Object `
    TimeCreated,
    @{Name = 'ChangedBy'; Expression = {
        ($_.Message -split "`n" | Where-Object { $_ -match "Account Name:" })[0] -replace '.*Account Name:\s*', ''
    }},
    @{Name = 'TargetAccount'; Expression = {
        ($_.Message -split "`n" | Where-Object { $_ -match "Account Name:" })[1] -replace '.*Account Name:\s*', ''
    }},
    @{Name = 'AccountExpires'; Expression = {
        ($_.Message -split "`n" | Where-Object { $_ -match "Account Expires" }) -replace '.*Account Expires:\s*', ''
    }},
    @{Name = 'Category'; Expression = { $_.TaskDisplayName }} |
Format-Table -Wrap -AutoSize

The output includes account expiration modifications that are recorded only on the domain controller where this command is executed. It displays details such as who made the change, the date and time of modification, targeted account, and the task category.

• With AdminDroid's Updated User Events report, you can easily find who have changed the account expiration dates by just applying Updated Attribute filter to Account-Expires.
• This report includes key details such as the time of update, the user whose account was changed, who made the change, the new expiration date, and more.
• Since AdminDroid can query all the selected domain controllers, you can track AD account expiry date changes without switching between domain controllers.