Active Directory

How to Get the Expiration Date of All Users in Active Directory

Are your users facing sign-in failures with the error ‘This user account has expired’? This could be due to misconfigured account expiration settings or missed extensions. Without proper tracking, critical user accounts may expire unnoticed, potentially disrupting workflows. This guide shows you how to check the account expiration date of all Active Directory users to ensure smooth access management.

List AD Users with Their Expiry Dates Using PowerShell

Active Directory Permission Required

Account Operators Least Privilege

Administrators Most Privilege

First, install the Active Directory module, then import it into PowerShell if you're running on a non-domain controller machine.
Run the following cmdlet to get the account expiration dates of all users in Active Directory.

Windows PowerShell

 Get-ADUser -Filter * -Properties AccountExpirationDate| Select SAMAccountName,@{Name='AccountExpiration'; Expression={if($null -eq $_.AccountExpirationDate){'Never Expires'}else{$_.AccountExpirationDate}}}, ObjectClass, ObjectGUID, DistinguishedName| Format-Table

The above cmdlet lists all users expiration statuses, including those set to Never expires. To display only Active Directory users with a defined account expiration date, run the following cmdlet.

Windows PowerShell

 Get-ADUser -Filter * -Properties AccountExpirationDate | Where-Object { $_.AccountExpirationDate -ne $null } | Select SAMAccountName, AccountExpirationDate, ObjectClass, ObjectGUID, DistinguishedName |Format-Table -AutoSize

account-expiration-date-using-powershell

The cmdlet displays all users with account expiry along with details such as SAM account name, account expiration date, distinguished name, GUID, and more.

Check Account Expiry Date for Users in AUDC

Active Directory Permission Required

Account Operators Least Privilege

Global Admin Most Privilege

Open Active Directory Users and Computers (ADUC) snap-in.
In the console tree, right-click Saved Queries and select New»Query.
Enter a suitable Name and Description for the query.
Set a Query Root to limit the search scope instead of the entire domain and check the Include subcontainers box to search within its nested subcontainers as well
Click Define Query and choose Custom Search from the Find drop-down.

Go to the Advanced tab and enter the following LDAP filter query.

&(objectCategory=person)(objectClass=user)(!accountExpires=9223372036854775807)(!accountExpires=0))

Select Ok in both dialog boxes to save the query. Then, the new query will appear under Saved Queries.
Select it to view all users with account expiration in Active Directory along with their type, display name, last modified date, and description.
To check a specific user's expiration date, double-click the user, go to the Account tab, and check the Account expires section.

Check Account Expiry Date for Users in AUDC

Saved Queries in Active Directory let you quickly create and store custom searches within ADUC without setting up the search again each time.

Simple & Quick
Find Account Expiration Date for All Active Directory Users Using AdminDroid

AdminDroid Permission Required Delegated

Any user with report access assigned by the Super Admin.

Log in to the AdminDroid Active Directory portal.
Navigate to the User Accounts with Expiration Date report under AD Reports»Users»Account Status»Users with Account Expiry.
This report lists all users with account expiration with details like display name, SAM account name, account expiry date, account status, OU name, and more.

Find Account Expiration Date for All Active Directory Users Using AdminDroid

AdminDroid Active Directory Reporter

Manage Active Directory User Expirations Effectively to Maintain Productivity!

AdminDroid’s Active Directory reporting tool delivers in-depth insights to check user account expirations, smoothly helping you track accounts nearing expiration, long expired, or due for extensions. With this enhanced visibility, you can ensure compliance, strengthen governance, and mitigate security risks effortlessly!

Automate Account Expiration Reminders for Seamless User Management

Send reminders about soon-to-expire user accounts to their managers and HR teams using AdminDroid's notifications, so they can decide whether to extend the expiration dates.

Receive Instant Alerts for Expired User Accounts with AdminDroid

Set up AdminDroid alerts for expired user accounts report to quickly identify and reactivate essential accounts while ensuring timely cleanup for seamless access in Active Directory.

Remediate User Accounts Mistakenly Set to Never Expire

Identify guest users, contractors, and vendors with never-expiring accounts due to misconfigurations and set appropriate expiration dates to enhance security in Active Directory.

Find Logon Failures Caused by Expired User Accounts to Prevent Access Disruptions

Audit failed logons due to expired accounts in Active Directory to investigate potential unauthorized access attempts and prevent unnecessary account lockouts.

View User Account Expiry Insights With an Exclusive Dashboard

Easily track user accounts set to expire in 7, 30, or 60 days, along with users configured with expiration dates, those that never expire, and more using AdminDroid’s comprehensive Active Directory user dashboard.

Track Changes in User Account Expiry Settings Using AdminDroid

Leverage AdminDroid's advanced filters in the updated users report to detect changes in account expiration, identify who made the modifications, and ensure expiration settings remain intact.

In essence, AdminDroid’s Active Directory management tool transforms complex user administration into a seamless experience! With an intuitive interface, AI-powered charts, and insightful dashboards, AdminDroid transforms raw data into a goldmine of actionable intelligence. It delivers powerful insights without breaking the bank!

Explore a full range of reporting options

Download Live Demo

Important Tips

Set admin and high-privilege accounts to Never Expire to prevent unexpected lockouts and ensure continuous access for critical operations.

Ensure maximum password age to be shorter than the account expiration period for AD users to prevent prolonged password use and reduce brute force risks.

Review and revoke any unnecessary permissions or group memberships associated with expired accounts to prevent unauthorized access if they are reactivated.

Common Errors and Resolution Steps

Below are possible errors and troubleshooting tips when checking and managing user account expiration in Active Directory.

Error Get-ADUser : Cannot validate argument on parameter 'Filter'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.

This error occurs when you don't provide the value for the mandatory -Filter parameter when using the Get-ADUser cmdlet in Active Directory PowerShell.

Fix Provide a -Filter value as * to return all objects that match the given criteria while retrieving account expiration of users, as shown below.

Get-ADUser -Filter * -Properties AccountExpirationDate | Where-Object { $_.AccountExpirationDate -ne $null } | Select SAMAccountName, AccountExpirationDate, ObjectClass, ObjectGUID, DistinguishedName | Format-Table -AutoSize

Error Set-ADAccountExpiration : Cannot bind parameter 'DateTime'. Cannot convert value "$.ExpirationDate" to type "System.DateTime". Error: "String was not recognized as a valid DateTime."

This error occurs when setting user account expiration for multiple users using a CSV file. It happens because PowerShell cannot convert the ExpirationDate value into a valid DateTime format due to incorrect CSV date formatting.

Fix Ensure your CSV dates match PowerShell's expected format, such as MM/DD/YYYY or YYYY/MM/DD, to resolve the issue.

Error Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).

This error occurs when you attempt to edit the accountExpires attribute directly in the Attribute Editor tab in ADUC. This is because certain attributes, such as accountExpires, lastLogon, pwdLastSet, and other protected system fields, cannot be modified directly in Attribute Editor.

Fix As a workaround, you can set the account expiration through ADUC → Specific user’s Properties → Account → Account Expires section or use the following PowerShell cmdlet.

Set-ADAccountExpiration -Identity <UserName> -DateTime "MM/DD/YYYY"

Error Set-ADAccountExpiration : Cannot find an object with identity: 'X' under: 'DC=contoso,DC=com'.

This error occurs when running the Set-ADAccountExpiration cmdlet with an invalid Identity value.

Fix Ensure the SAMAccountName is spelled correctly and check the user existence in your environment. You can verify this using the following cmdlet.

Get-ADUser -Identity <UserName>

Active Directory

Frequently Asked Questions

Strengthen Access Control with User Account Expiration in Active Directory

Why is the expiration date used on a user account in Active Directory?

How to set an account expiration date for a user in Active Directory?

What happens when an account reaches its expiry date in Active Directory?

How to remove the expiration date for an Active Directory user?

What time does an Active Directory account expire?

What is the difference between disabled and expired user accounts in Active Directory?

1. Why is the expiration date used on a user account in Active Directory?

In Active Directory, setting an expiration date on a user account helps administrators control access to the organization's resources and enhance security. It ensures that accounts automatically become deactivated when they are no longer needed to reduce the risk of security vulnerabilities .

Key reasons for using account expiration date in Active Directory

Here are some reasons why admins should use account expiration in an Active Directory environment:

Manage temporary accounts in Active Directory Organizations often onboard contractors, vendors, or temporary employees who require access for a limited period. Setting an Active Directory account expiration date ensures users are automatically deactivated after their contract or project ends. This potentially reduces the need for manual intervention.
Prevent risks from unused Active Directory accounts Active but abandoned accounts pose a major security risk, as they can be exploited for gaining access to additional resources or performing unauthorized activities. Applying expiration dates ensures user accounts do not remain active indefinitely.
Automate and streamline AD user lifecycle management Applying expiration dates helps IT teams manage user lifecycles efficiently by automatically deactivating accounts that are no longer required. Expired accounts can be reactivated with their original permissions intact if the user returns, thereby streamlining administration.

Real-world use cases of account expiration in Active Directory

Education sector: Universities set expiration dates for student accounts after graduation to prevent unauthorized access to institutional resources.
Healthcare & compliance-driven industries: Temporary medical staff or third-party consultants are given access for a set duration to comply with security policies.
Consulting & cybersecurity audits: Consulting firms hire external vendors for security assessments by providing temporary Active Directory accounts with expiration.
Project-based organizations: Companies working with freelancers and contractors apply expiration dates to automatically disable accounts after project completion.

2. How to set an account expiration date for a user in Active Directory?

Setting an expiration date ensures these accounts are automatically deactivated after their engagement ends, thereby reducing the risk of unauthorized access. Here's how you can configure or extend an expiration date in Active Directory.

Set user account expiration date in Active Directory using ADUC

Open the Active Directory Users and Computers console and navigate to the respective user account for which you want to set an expiration date.
In the Properties window, go to the Account tab.
Under the ‘Account expires’ section, select End of and specify the expiration date.
Click OK to save the changes.

Set user account expiration in Active Directory using PowerShell

You can use PowerShell to update the account expiration dates for multiple users at once . Here’s how to set an account expiration date in Active Directory with PowerShell.

Run the Set-ADAccountExpiration cmdlet as shown below to update an expiration date for a specific user. Before execution, replace <UserName> and <Date> with the appropriate values.
```
Set-ADAccountExpiration -Identity <UserName> -DateTime "<Date>"
```
You can also set account expiration dates for multiple users using a CSV file. Replace <CSVFilePath> in the following cmdlet with the path to your CSV file to update expiration dates for all users listed in the file at once.
```
Import-Csv -Path "<CSVFilePath>" | ForEach-Object { Set-ADAccountExpiration -Identity $_.UserName -DateTime $_.ExpirationDate }
```
Note: Ensure your CSV file contains two columns namely UserName and ExpirationDate, as the cmdlet above is designed to use them.

3. What happens when an account reaches its expiry date in Active Directory?

Once a user account expires in Active Directory, it becomes inaccessible. Here’s what happens after the expiration date passes:

Expired accounts are not deleted, but users can no longer sign in to Active Directory.
The user will no longer be able to log in to their account, access resources, or perform domain-related operations.
Admins can view, manage, and reactivate expired accounts in Active Directory by either extending the account expiry date or setting it to 'Never Expire'.
Group memberships and permissions remain intact, thereby preventing unintended loss of access if reactivated.

4. How to remove the expiration date for an Active Directory user?

A company hires full-time employees with user accounts that are initially set to expire due to a policy that requires periodic reviews. After a performance evaluation, an employee is converted from a contract role to a permanent position. To prevent access disruptions, the IT admin removes the account expiration date in Active Directory, ensuring uninterrupted access to files and company resources.

The following steps show how to remove the user account expiration in Active Directory:

Remove account expiration date in Active Directory using ADUC

Open the Active Directory Users and Computers console.
Navigate to the Users section and select the respective user account for which you want to remove the expiration date.
In the Properties window, go to the Account tab.
Under Account expires, select Never.
Click OK to save changes.

Clear account expiration using PowerShell

Run the following command to clear the user account expiration date in Active Directory. Ensure to replace the <UserName> with the actual SAMAccountName or DistinguishedName.
```
Clear-ADAccountExpiration -Identity <UserName>
```
Note: You can also use PowerShell to bulk remove account expiration for users by importing a CSV file.
```
Import-Csv -Path "<CSVFilePath>" | ForEach-Object {Clear-ADAccountExpiration -Identity $_.UserName}
```

5. What time does an Active Directory account expire?

If you’ve ever set an expiration date for an Active Directory account in ADUC , you might have noticed something that you can select only a date, not the exact time. But when you check the expiration details using PowerShell, even the date values don’t match, to your surprise! 😲 So, which one is correct? And what’s actually happening behind the scenes? Let’s clear up the confusion!

How does account expiration work in Active Directory?

A common misconception is that an account expires at the start of the selected date—but that’s not how it works. In reality, the Account Expires field actually means "End of <Date>", meaning the account stays active for the entire selected day.
For example, an account set to expire on July 30 will remain active for the entire day and become inactive at 12:00 AM on July 31.

Actual behavior of the expiration date attribute in PowerShell and ADUC

The accountExpires attribute in PowerShell shows the expiration time as 12:00 AM on the next day, indicating that the account is no longer active from that time.
The Account Expires field in ADUC displays "End of <Expiration Date>", meaning the account remains usable for the full expiration day until 11:59:59 PM of the specified date.

Note: The above case applies when you set the expiration date alone (without the exact time) using ADUC or PowerShell. If the expiration is set with a specific time using PowerShell, that exact time is treated as the account's expiration time in Active Directory.

6. What is the difference between disabled and expired user accounts in Active Directory?

Ever wondered how "disabled" and "expired" accounts differ in Active Directory? At first glance, both actions prevent user access, deny authentication, and block resource usage. However, they serve different purposes based on how and when they are applied.

Disabled Account:

A disabled account is manually turned off and reactivated when the admin needs it. Admins often disable user accounts to prevent unauthorized access in cases of suspected compromise or when employees leave the organization. This ensures that the account is not misused and allows recovery if needed. Since disabled accounts can be re-enabled anytime, they provide flexibility while minimizing risks.

How to disable an AD Account?

Open Active Directory Users and Computers console.
Navigate to the Organizational Unit where the user account resides.
Double-click the user account and go to the Account tab.
Check "Account is disabled", then click OK to apply changes.

Expired User Account:

An expired account is automatically disabled once it reaches a predefined end date. This is ideal for temporary employees, contractors, or guest accounts with a fixed engagement period. Organizations use this to automate access control without requiring manual intervention. Once an account expires, it remains inactive unless an admin extends or re-enables it.

How to set account expiry date in Active Directory?

Open Active Directory Users and Computers, select the user account, and open Properties.
Under the Account tab, find "Account expires" and choose the expiration date. Then, click OK to save.

Disabled accounts need manual action to enable or disable them and are ideal for uncertain access needs. Expired accounts have a scheduled expiration that ensures access control without admin intervention. Choosing the right approach depends on your organization's access management strategy!.