Active Directory

How to Find Users Who Have Not Changed Passwords Recently in Active Directory

Many Active Directory users use the same password for too long due to forgetfulness or convenience. Such users with old passwords are at a higher risk of account compromise because their credentials are more likely to be exposed, reused, or guessed. In this guide, we’ll show you how to identify Active Directory users with outdated passwords to maintain strong security hygiene.

Track Active Directory Users with Unchanged Passwords in ADUC

Active Directory Permission Required

Account Operators Least Privilege

Administrators Most Privilege

Open the Active Directory Users and Computers console, then right-click Saved Queries in the left pane and select New»Query.
Enter the name and an optional description. Select the Include subcontainers checkbox to include all users under subcontainers, and click Define Query.
Select Custom Search from the Find drop-down menu. Then, switch to the Advanced tab.
```
(&(objectClass=user)(objectCategory=person)(pwdLastSet<=<FileTime>))
```
Paste the above LDAP query after replacing the <FileTime> value. To get the file time value, you can execute the cmdlet below to find the file time for 90 days ago.

Windows PowerShell

 ((Get-Date).AddDays(-90)).ToFileTimeUtc()

Click OK to save the query, then click OK again to close the configuration window.
Then, select the created query under Saved Queries to list all Active Directory users who have not changed their password in the last 90 days.

Track Active Directory Users with Unchanged Passwords in ADUC

Find Users with Old Passwords in AD Using PowerShell

Active Directory Permission Required

Account Operators Least Privilege

Administrators Most Privilege

The above method only lists users with old passwords, but doesn’t show how old they are or when they were last changed. Meanwhile, PowerShell simplifies this by quickly providing detailed insights, including the exact last password set date.
If you’re running the cmdlet from a non-domain controller machine, make sure the Active Directory PowerShell module is installed and imported on your system.
Next, run the following PowerShell cmdlet to retrieve all Active Directory users whose passwords have not been changed in the last 90 days.

Windows PowerShell

 $cutoff = (Get-Date).AddDays(-90) 
Get-ADUser -Filter * -Properties pwdLastSet, PasswordNeverExpires |  
Where-Object{ 
    $_.Enabled -and 
    ([datetime]::FromFileTime($_.pwdLastSet) -lt $cutoff) 
} | Select-Object Name, SamAccountName, @{Name = "LastPasswordSet"; Expression = {[datetime]::FromFileTime($_.pwdLastSet) }}, @{Name = "PasswordAge"; Expression = { ((Get-Date) - [datetime]::FromFileTime($_.pwdLastSet)).Days.ToString() + " days ago" }}

The execution of the above cmdlet lists user accounts with passwords older than 90 days, along with their name, SAM account name, last password change date, and password age.

Find Users with Old Passwords in AD Using PowerShell

Simple & Quick
Export Active Directory Users with Old Passwords Using AdminDroid

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Log in to the AdminDroid Active Directory Companion.
Navigate to the Users with Old Passwords report under the AD Reports»User Password Reports»Old Password Users.
This report lists all users with old passwords along with details like user display name, SAM account name, last password set, password expiry date, and more.
Apply the filter 'Last Password Set before <date - 90 days ago>' to identify users whose passwords have not been updated in the past 90 days.
Additionally, you can use the Download (⤓) option to easily export the users with old passwords report in various formats such as HTML, PDF, CSV, and more.

Export Active Directory Users with Old Passwords Using AdminDroid

AdminDroid Active Directory Reporter

Gain Actionable Insights into Users with Unchanged Passwords

AdminDroid’s Active Directory reporting tool provides complete visibility into unchanged passwords, expired credentials, recent password activity, and more. Through its intuitive dashboards and detailed reports, admins can get instant insights into user passwords to strengthen security and simplify compliance management without extra effort.

Visualize Password Details with the Active Directory Password Dashboard

Leverage the Active Directory password dashboard to monitor unchanged, expired, soon-to-expire, and more, for easy overview to proactively alert users and reduce helpdesk issues.

Identify Admin Accounts with Outdated Credentials to Avoid Security Risks

Find admin accounts with old passwords to minimize attack surfaces, enforce stronger policies, and ensure privileged access remains secure.

Track Active Directory Users with Never-Expiring Passwords to Prevent Misuse

Identify users with never-expiring passwords to reduce the risk of attacks like credential stuffing, brute-force attempts, and insider misuse.

Monitor Active Directory Computers with Unchanged Passwords

View computers with unchanged passwords over the past 90 days to prevent authentication issues, protect trust relationships, and prevent misuse of old passwords.

Identify Users with Bad Password Attempts to Prevent Account lockouts

List Active Directory users with bad password attempts to detect possible login issues and assist users in resolving authentication problems smoothly without account lockouts.

Get Notified to Reset the KRBTGT Account Password in Active Directory

Stay informed with KRBTGT account password reset reminder agent for periodic password changes to prevent Golden Ticket attacks in Active Directory.

Overall, AdminDroid helps you stay ahead of password risks in Active Directory by tracking unchanged passwords. It highlights accounts that need updates and offers management actions such as password reset, update user properties, and more to mitigate potential security breaches and insider threats.

Explore a full range of reporting options

Download Live Demo

Important tips

Apply fine grained password policies (FGPP) to enforce role-based password complexity and scheduled rotation to keep passwords up to date while balancing security with usability.

Regularly reset the krbtgt account password twice every 180 days as a proactive security measure to invalidate old Kerberos tickets and prevent attackers from reusing stolen credentials.

Enable passwordless sign-in in hybrid domains with Microsoft Entra Kerberos and hardware-backed credentials like FIDO2 or Windows Hello for Business for seamless, secure access.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while tracking users with old passwords in Active Directory.

Error Import-Module: The specified module ‘ActiveDirectory’ was not loaded because no valid module file was found in any module directory.

This error occurs when you try to import the Active Directory module on a domain-joined computer without installing the Active Directory module.

Fix Make sure the Active Directory module is installed before importing it on a domain-joined computer by using the appropriate cmdlet below for your system type.

# For Windows Server
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature

# For Windows Client OS (Windows 10/11)
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0

Error Get-ADUser: The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs when the 'Get-ADUser' cmdlet is executed on a non-domain controller machine without importing or loading the Active Directory PowerShell module.

Fix Before execution of the 'Get-ADUser' cmdlet, import the Active Directory module using the following cmdlet.

Import-Module ActiveDirectory

Error Get-ADUser: Missing an argument for parameter 'Filter'. Specify a parameter of type 'System.String' and try again.

This error occurs while executing the 'Get-ADUser' cmdlet with a filter that has improper syntax, such as a missing asterisk (*).

Fix Make sure to execute the 'Get-ADUser' cmdlet with proper syntax as below.

Get-ADUser -Filter *

Error Set-ADDefaultDomainPasswordPolicy: Insufficient access rights to perform the operation.

This error occurs when you don’t have the required permissions to configure the default domain password policy in Active Directory.

Fix Make sure you have any required permissions, such as Domain Admins or Enterprise Admins.

Error Set-ADDefaultDomainPasswordPolicy: Cannot find an object with identity: '<DomainName>' under: '<DistinguishedName> '.

This error occurs when an invalid domain name is entered while configuring the default domain password policy using the 'Set-ADDefaultDomainPasswordPolicy' cmdlet in PowerShell.

Fix Make sure to replace <DomainName> with the correct domain name and <PasswordAge> while configuring the Active Directory default domain password policy using the PowerShell cmdlet below.

Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -MaxPasswordAge "<PasswordAge>"

Error The query filter “<Query>” is not a valid query string.

This error occurs when an invalid LDAP query filter is entered while searching for all users who have not changed passwords in the last 90 days in ADUC.

Fix Make sure the query filter is correctly formatted without typing errors, as mentioned below.

(&(objectClass=user)(objectCategory=person)(pwdLastSet<=<FileTime>))

Active Directory

Frequently Asked Questions

Strengthen Active Directory Security by Managing Unchanged Passwords

What are the risks of users with unchanged passwords in Active Directory?

How to enforce a password change every 90 days for Active Directory users?

How to prevent password reuse in Active Directory with account policies?

How to force a user to change passwords at their next logon?

1. What are the risks of users with unchanged passwords in Active Directory?

When users don’t update their passwords regularly, it creates opportunities for attackers to compromise system integrity. Old or reused passwords are easier to exploit through brute-force or credential-stuffing attacks. This increases the risk of unauthorized access and weakens overall Active Directory security. Administrators must address these risks by enforcing strong, regularly updated password policies.

Below are the risks caused by users with unchanged passwords in Active Directory:

Unauthorized access: Passwords that aren’t regularly updated are easier for attackers to guess or crack, which increases the chance of unauthorized access to Active Directory.
Data breaches: Stale or compromised passwords can be exploited to access sensitive business information, such as payroll or financial records, and this may result in data theft or exposure.
Privilege escalation: An administrator account with an outdated password can be compromised, which allows attackers to modify critical system settings or gain higher-level network access.
Regulatory compliance risks: Organizations that do not require regular password updates may violate data protection regulations such as the General Data Protection Regulation (GDPR). Auditors may flag unchanged passwords as control failures, which can result in compliance issues or financial penalties.
Credential reuse exploitation: When employees reuse the same password across multiple services, a breach in one external service can give attackers access to multiple corporate accounts.
Increased attack surface: Users keeping the same password for years allow attackers to run brute-force or phishing attacks over a longer period. This extended exposure increases the risk of account compromise.

2. How to enforce a password change every 90 days for Active Directory users?

Employees often use old passwords for convenience, but that convenience comes at a cost. Over time, unchanged passwords are more vulnerable to leaks, brute-force attempts, and misuse. To prevent this, admins can enforce a 90-day maximum password age in Active Directory so users change their passwords every 3 months. This ensures regular updates and encourages stronger password practices across the organization.

Configure the maximum password age policy in Active Directory

Open the Group Policy Management Console (GPMC) and expand the desired domain under the forest. Then, Right-click on Default Domain Policy and select Edit.
On the Group Policy Management Editor page, navigate to Computer Configuration»Policies»Windows Settings»Security Settings»Account Policies»Password Policy.
Select the Maximum Password Age, and enable the Define this policy setting checkbox, then set the Maximum Password Age to 90 days.
You can set the value between 1 and 999 to define the password expiration period, while setting it to 0 ensures the password never expires. Click Apply, and then click OK to save the changes.
Run gpupdate /force in the command prompt to refresh Group Policy and require all your domain users to change passwords at the 90-day limit.

Points to remember:

It’s also recommended to set a minimum password age to prevent users from changing their passwords too frequently and cycling back to previous passwords.
The minimum password age must be less than the maximum password age, unless the maximum is set to 0.
Service accounts or accounts with ‘Password Never Expires’ configuration enabled will bypass this password age policy. You need to review such Active Directory accounts separately.

Enforce maximum password age in Active Directory through PowerShell

Instead of manually navigating through GPMC, you can use PowerShell to automate tasks and achieve the same results efficiently with direct access to GPOs.

First, ensure the Active Directory PowerShell module is installed and imported on your computer.
Execute the cmdlet below after replacing the <DomainName> with the respective domain name. This cmdlet execution sets the maximum password age to 90 days.
```
Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -MaxPasswordAge 90.00:00:00
gpupdate /force
```
You can verify whether the password expiry has been changed in Active Directory by running the following PowerShell cmdlet.
```
(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
```

verify-password-policy-changes-in-password-age

The output displays the maximum password age in days, hours, minutes, and other units, confirming that the domain password policy has been updated (e.g., TotalDays: 90).

3. How to prevent password reuse in Active Directory with account policies?

Employees often reuse weak passwords like Welcome123, Password@1, and similar ones. This creates a security risk because attackers can guess or reuse such passwords easily. To prevent this, admins should configure Active Directory password history to block password reuse and ensure each new password is unique.

Configure password history policy in Active Directory

In the Group Policy Management Console (GPMC), right-click the Default Domain Policy, and select Edit.
Navigate to Computer Configuration»Policies»Windows Settings»Security Settings»Account Policies»Password Policy. Then, select Enforce password history and enable the policy by checking the box.
Although we can set the password history policy values from 0 to 24, Microsoft recommends setting the value to 24 to mitigate password reuse risks.
Click Apply and OK to save changes.

configure-password-history-policy-in-gpmc

Note: Always enforce a password history policy together with a minimum age policy to maintain security and prevent immediate password reuse.

Set password history policy in Active Directory with PowerShell

While the group policy lets you configure password history manually, PowerShell provides a faster, automation-friendly approach, flexible configuration, and easy verification across large environments.

Run the following cmdlet after replacing the <DomainName> to set the password history count to 24 or more.
```
Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -PasswordHistoryCount 24
```
Apply changes immediately with 'gpupdate /force' and verify whether the password history count has been updated using the cmdlet below.
```
Get-ADDefaultDomainPasswordPolicy | Select-Object PasswordHistoryCount
```

verify-password-policy-changes-in-password-history

4. How to force a user to change passwords at their next logon?

Consider a scenario where a user account faces risk due to the use of stale credentials. To secure the account immediately, an administrator can require the user to change their password at the next login. This action replaces the old credentials, protects sensitive information, strengthens system security, and minimizes the risk of unauthorized access.

Steps to force a user to change password at the next login

Open the Active Directory Users and Computers (ADUC) console and navigate to the relevant OU.
Double-click the target user account and go to the Account tab. You can hold Ctrl to select multiple users at once.
Check the box User must change password at next logon.
Click Apply and OK to save the changes.

force-user-to-change-password-at-their-next-login

Force a user to change their password using PowerShell

While the above method is a tedious and time-consuming process, PowerShell is used to force password change for single and multiple users efficiently.

Make sure the Active Directory PowerShell module is installed and imported on your system.
Execute the below cmdlet after replacing the <UserName> with the actual SAM account name to force the password change for the respective user at their next login.
```
Set-ADUser -Identity "<UserName>" -ChangePasswordAtLogon $true
```

To force multiple users to change their passwords at their next login, prepare a CSV file with the column named SamAccountName containing a list of users.
Replace <CSVFilepath> in the cmdlet below, and then execute it to force multiple users to change their passwords at the next login.

Import-Csv "<CSVFilepath>" | ForEach-Object { Set-ADUser -Identity $_.SamAccountName -ChangePasswordAtLogon $true}

Stop worrying about outdated passwords! Force users to change passwords at the next login instantly with AdminDroid.

With AdminDroid Active Directory management actions, you can easily enforce a password change at the next login for single or bulk users in just a few clicks.
This boosts security and makes administration easier. It ensures users update their passwords on their next sign-in, based on reports like ‘Users with Old Passwords’ and ‘All Users.’