How to Find Soon to Expire User Accounts in Active Directory

Not every expiring account in Active Directory needs attention, especially when you manage only users in a specific location. In this scenario, you can filter by Organizational Unit (OU) to ensure you stay informed about expiring accounts within your scope. This targeted approach helps streamline user management, offboarding, and security compliance while avoiding unnecessary queries.

Get soon-to-expire users in Active Directory from specific OU using ADUC

• Open the Active Directory Users and Computers (ADUC) console.
• Right click on the desired OU from the left pane and select Find.
• In the Find field, select Custom Search and navigate to the Advanced tab.
• Now, paste the previously generated LDAP query from PowerShell, and click Find Now.

This will list all AD user accounts set to expire in the selected OU and its nested OUs based on the specified criteria in the LDAP query.

View expiring AD user accounts in a specific OU using PowerShell

While the above ADUC console approach displays expiring user accounts in both the OU and its sub-OUs, the SearchScope parameter in PowerShell lets you filter results to just the parent OU.

$ExpiringDays = "<DesiredDays>"    
$time = (Get-Date).AddDays($ExpiringDays)  
$today = Get-Date 
Get-ADUser -SearchBase "<OUDistinguishedName>" -SearchScope OneLevel  -Filter {accountExpires -lt $time -and accountExpires -gt $today} -Properties * |
Select-Object Name, @{Name="ExpiryDate"; 
Expression={[datetime]::FromFileTime($_.accountExpires)} },WhenCreated, Manager |  
Format-Table –AutoSize 

If you're unsure about the OU’s distinguished name, use the cmdlet below to retrieve it.

Get-ADOrganizationalUnit -Filter "Name -eq '<OUName>'" | 
Select-Object DistinguishedName 

To ensure user accounts expire at a specific time, you can set expiration date in Active Directory using the ADUC console for a single user, or PowerShell for multiple users.

This is especially helpful when managing contractors or interns who have been added to a dedicated security group for resource access. In such cases, you can run the PowerShell script below to assign a common expiration date to all users within that group.

$DaysToExpire = 10 
$ExpiryDate = (Get-Date).AddDays($DaysToExpire) 
Get-ADGroupMember -Identity "<GroupName>" -Recursive | 
Where-Object { $_.ObjectClass -eq 'user'} | 
ForEach-Object { 
Set-ADUser -Identity $_ -AccountExpirationDate $ExpiryDate } 

You can run the ‘Get-ADGroup’ cmdlet to fetch the group name and then replace it with the ‘GroupName’ value in the above script.

• Navigate to the Active Directory Group and Member Details report and filter users based on their group using the Group Name filter.
• Select all the users, then click "More Actions" and choose "Set Account Expiry" to set the expiration date.

Unexpected user account expirations can disrupt work and burden IT teams with last-minute access requests. To avoid such situations, you can use PowerShell to send Active Directory account expiration email notification to specified admins. This proactive approach enables admins to either extend the account’s validity or allow it to expire and disable it accordingly.

Use the PowerShell script below to notify admins 10 days before user accounts expire by sending a predefined email notification.

You can replace the value of ‘$ExpiringDays’ with a different threshold based on your requirements.

$ExpiringDays = 10  
$Today = Get-Date  
$ExpirationDate = $Today.AddDays($ExpiringDays)  
$Credential= Get-Credential 

$ExpiringUsers = Get-ADUser -Filter 
 { 
   accountExpires -lt $ExpirationDate -and accountExpires -gt $Today -and Enabled -eq $true 
 } -Properties accountExpires, Enabled, Name 
foreach ($user in $ExpiringUsers) 
 {  
  $FormattedExpiryDate =[datetime]::FromFileTime($user.accountExpires).ToShortDateString()  
  $UserName= $user.Name 
  $subject = "Upcoming account expiration alert for $UserName"  
  $body =  @" 
    Hello Admin,<br> 
    This is a reminder that the Active Directory account of $UserName is scheduled to expire on $FormattedExpiryDate. 
    <br> 
    Please take the necessary action if this account needs to be extended or deactivated. 
    <br> 
    Thank you."@ 
  Send-MailMessage -To "<AdminEmailAddress>" -From "<NotificationEmailAddress>" -Subject $subject  -Body $body –BodyAsHtml -SmtpServer "<SMTPAddress>" -Port 587 -UseSsl -Credential $Credential
} 

Note: The ‘Send-MailMessage’ is considered obsolete as it doesn't support modern authentication or robust security standards. As a secure and up-to-date alternative, you can use the MailKit library , which offers better support for encryption, authentication, and modern protocols.

You can use Task Scheduler to run the script based on your desired frequency. However, it introduces challenges like script failures and credential issues, which may result in missed notifications and delays in operations.

With AdminDroid, you can easily create alerts for expiring Active Directory users and send notifications directly to the desired recipients without configuring SMTP.

You can use ‘Alerts Overview Dashboard’ in the AdminDroid portal to visualize and analyze all the account expiration alerts in Active Directory.

Once a user account expires in Active Directory, they can no longer log in. If the expiration is intentional, you can disable the account to minimize security risks. However, there are scenarios where extending the expiration date of the account may be necessary.

Once you've identified the expired users who need extended access, you can set a new expiration date using the Set-ADAccountExpiration PowerShell cmdlet. This will extend their access based on the value you specify.

Set-ADAccountExpiration –Identity  "<SamAccountName>" -DateTime "<ExpirationDate>" 

If an important admin’s account is expired unintentionally, you can just use the Clear-ADAccountExpiration cmdlet to set their expiration date to ‘Never Expires’.

Clear-ADAccountExpiration –Identity "<SamAccountName>"