Active Directory

How to Get All Active Directory Users with Expired Passwords

Password expiration in Active Directory is a critical safeguard against credential misuse. However when expired passwords go unnoticed, helpdesk tickets pile up, scripts fail unexpectedly, and essential workflows come to an end. To avoid such disruptions, it’s vital to identify users with expired passwords in advance. This guide shows you how to find all users with expired passwords in Active Directory, which helps you update passwords on time and prevent login failures.

Find All Password Expired Users in Active Directory Using PowerShell

Active Directory Permission Required

Domain Users Least Privilege

Administrators Most Privilege

Active Directory Users and Computers (ADUC) and Active Directory Administrative Center (ADAC) do not provide a direct solution to view all users with expired passwords at once.
You need to check the 'msDS-UserPasswordExpiryTimeComputed' attribute and compare it with the current date.
To easily retrieve users with expired passwords in Active Directory domain, run the following PowerShell cmdlet.

Windows PowerShell

 $CurrentDate = Get-Date
Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, "msDS-UserPasswordExpiryTimeComputed", PasswordLastSet | 
Select-Object DisplayName, SamAccountName, PasswordLastSet, DistinguishedName, @{Name="PasswordExpirationDate"; Expression = {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} | 
Where-Object { $_.PasswordExpirationDate -ne $null -and $_.PasswordExpirationDate -lt $CurrentDate -and $_.PasswordExpirationDate -gt [datetime]::FromFileTime(0) } | 
Format-Table –AutoSize

Find All Password Expired Users in Active Directory Using PowerShell

Simple & Quick
Track Password-Expired Users in Active Directory Using AdminDroid

AdminDroid Permission Required Delegated

Any user with the report access delegated by the Super Admin.

Log in to AdminDroid Active Directory Companion.
Navigate to the Password Expired Users report under AD Reports » User Password Reports
This report provides a list of all Active Directory password-expired users along with key details like display name, SAM account name, timestamp of last password set, password expired date, OU name, account status, and more.

Track Password-Expired Users in Active Directory Using AdminDroid

AdminDroid Active Directory Reporter

Simplify Active Directory User Password Expiry Management with AdminDroid

AdminDroid Active Directory reporting tool provides instant visibility into password expiration status across all user accounts. It delivers detailed reports about user passwords, like users' expired passwords, soon-to-expire passwords, never-expiring passwords, and more. This helps you proactively manage password lifecycles, reduce authentication failures, and maintain a secure Active Directory domain.

Track Users’ Last Password Change Date to Prevent Password Expiry

Monitor the last password change date in Active Directory to accurately predict upcoming expirations and improve password policy enforcement.

Find User Accounts Using Old Passwords to Mandate Credential Rotation

Enforce password expiration for all users with old passwords in Active Directory to ensure timely credential rotation and mitigate password guessing attacks.

Track Privileged Users with Password Never Expires to Reduce Threats

Detect privileged admin accounts with non-expiring passwords and remind them to update passwords regularly to safeguard against security threats.

Identify and Manage Users with Password that are Expiring Soon

Stay ahead of users with soon-to-expire passwords to schedule password updates in advance and avoid last-minute lockouts in your Active Directory domain.

Detect Every Change in Domain Password Policy to Prevent Security Gaps

Audit domain password policy changes in Active Directory to find unauthorized modifications to maximum password age in real time and prevent weak password adoption in the domain.

Detect and Act on Failed User Login Attempts Caused by Expired Password

Receive instant alerts for failed logins after password expiry to quickly identify users facing login issues due to expired passwords and resolve potential access problems.

In conclusion, AdminDroid’s Active Directory management tool streamlines the process of identifying user accounts with expired passwords through detailed reports and advanced features. It also empowers you to take immediate actions, such as resetting passwords, setting them to never expire, enforcing password changes at the next logon, and more. All of these actions can be performed from a single, unified platform to maintain a secure and well-organized Active Directory.

Explore a full range of reporting options

Download Live Demo

Important tips

Use fine-grained password policies for privileged users to enforce stronger password requirements and protect sensitive accounts.

Ensure the User cannot change password option remains unchecked for accounts with expiring passwords to allow users to update their credentials and prevent account lockouts.

Use managed service accounts instead of user accounts for automation scripts to reduce script failure caused by password expiration in the domain.

Common Errors and Resolution Steps

Below are some common errors and troubleshooting fixes that may occur while identifying password-expired users in Active Directory.

Error This user account’s password has expired. The password must change in order to logon.

This error occurs in the Remote Desktop logon prompt when a user tries to sign in to Active Directory via RDP using an expired password.

Fix If password change is allowed by entering your old password, sign in to your Active Directory account locally and update your password. If not, contact the helpdesk administrator to reset your password.

Error Set-ADAccountPassword : A positional parameter cannot be found that accepts argument '<UserName>'

This error occurs in PowerShell when you attempt to reset a user’s password using an incorrect username or SAM account name.

Fix To resolve this error, check the SAM account name of the user using the following cmdlet. Then, reset the user’s password using the correct SAM account name with the -Identity parameter.

#Replace <UserName> with the name of the user.
Get-ADUser -Filter {Name -eq "<UserName>"} | Select Name,SamAccountName,DistinguishedName

Error New-TimeSpan : TimeSpan overflowed because the duration is too long

This error occurs in PowerShell when you try to set the maximum password age to a value higher than the supported limit.

Fix The password expiry value can range from 1 to 999 days. Therefore, rerun the 'Set-ADDefaultDomainPolicy' cmdlet with the maximum password age within this range.

Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -MaxPasswordAge (New-TimeSpan -Days "<Days>")

Error Access denied when logging into Windows due to expired password.

This error may occur when a user who cannot change their password attempts to log in after their password has expired.

Fix To resolve this error, contact the domain administrator and request a password reset for the expired Active Directory account password.

Active Directory

Frequently Asked Questions

Title Here

How to set password expiration policy in Active Directory?

How to reset expired password in Active Directory?

How to find password expiration date of Active Directory users?

How to enable password expiry notification in Active Directory?

1. How to set password expiration policy in Active Directory?

Passwords continue to be the most common authentication method for accessing Active Directory domains. However, users often reuse the same passwords for long periods out of convenience, which increases the risk of brute-force attacks.

To enhance account security, it’s important to enforce regular password rotation at defined intervals. Follow the steps below to configure a password expiration policy in Active Directory using Group Policy Objects (GPO).

Open Group Policy Management, expand your domain, right-click the Default Domain Policy, and select Edit.
Navigate to Computer Configuration » Policies » Windows Settings » Security Settings » Account Policies » Password Policy.
Right click on Maximum password age and select Properties.
Check Define this policy setting and set the number of days after which the password will expire.
Select Apply and then click OK to set password expiry date for all users across the domain.

Note: Alternatively, you can create a new Group Policy Object and link it to specific OUs based on your organization’s needs.

Configure password expiration policy in Active Directory using PowerShell

Rather than navigating through multiple GUI paths, you can use PowerShell to update the password expiration for all users with a single cmdlet.

Run the following cmdlet to set the maximum password age for all Active Directory users and make sure to replace <DomainName> and <Days> with your domain name and desired password expiration password period respectively.

Set-ADDefaultDomainPasswordPolicy -Identity "<DomainName>" -MaxPasswordAge (New-TimeSpan -Days "<Days>" )

The 'New-TimeSpan' PowerShell expression can also be used to define the password expiration period in hours, minutes, or seconds instead of days, by using -Hours <Hours>, -Minutes <Minutes>, or -Seconds <Seconds>.

2. How to reset expired password in Active Directory?

When a password expires in Active Directory, the user can no longer sign in with the old credentials. To regain access, the expired password must be changed. The password can be changed by the user, or it can be reset by an administrator, depending on the account settings.

If the user is allowed to change the password, they can update it during their next logon attempt after the password has expired.
When they try to sign in with the old password, they will receive the message: Your password has expired and must be changed.
After selecting OK, the user will be prompted to enter the existing expired password, a new password, and a confirmation of the new password.
Once submitted successfully, the password will be updated and access will be restored.

change-user-password-in-active-directory

For users who cannot change their password, access remains blocked until someone with the appropriate permissions resets it. Follow the steps below to quickly reset a user’s password in Active Directory.

Update expired user password in Active Directory in ADUC

In Server Manager, navigate to Tools » Active Directory Users and Computers.
Right-click the user whose password was expired and select Reset password.
Type the new password in the New Password field and confirm it in the Confirm Password field.
If the user’s account is locked, check the Unlock the user’s account option.
Click OK to reset the password and apply the changes.

Reset expired password for Active Directory user using PowerShell

Run the following cmdlet to change the password for the user whose password has expired.

Set-ADAccountPassword -Identity "<UserName>" -Reset -NewPassword (ConvertTo-SecureString "<Password>" -AsPlainText -Force)

Replace <UserName> with the SAM account name of the user whose password you want to change and <Password> with a new password that complies with the domain password policy.

Reset multiple expired passwords in bulk with AdminDroid!

The reset password management action lets you manage single or multiple expired passwords in Active Directory effortlessly in just a few clicks.
Simply select the users with expired passwords, click Reset Password at the footer, enter the new password or generate one automatically, and click Update to apply the change instantly.

3. How to find password expiration date of Active Directory users?

Let’s consider when a user’s password has expired and the option to change it is disabled. The user cannot log in and cannot notify the helpdesk or an admin, which may result in service disruption and workflow interruptions.

To prevent this, track the password expiration dates for users in Active Directory and reset passwords proactively. This approach ensures regular password rotation and allows users to maintain access without being locked out.

Get Active Directory users' password expiration date

Get all users in the Active Directory Users and Computers console using saved query.
Right-click the user in the query results and select Properties.
Navigate to the Attribute Editor tab, click Filter, and select Constructed option under Show read-only attributes.
Scroll through the Attribute column and locate the msDS-UserPasswordExpiryTimeComputed attribute to see the password expiration of the account.

Note: If you don’t see the Attribute Editor tab, enable Advanced Features from the View menu in ADUC.

Identify password expiry date for users in Active Directory Using PowerShell

Run the following cmdlet to get the password expiration date of all users in the Active Directory domain.

Get-ADUser -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed, PasswordLastSet | 
Select-Object DisplayName, SamAccountName, PasswordLastSet, @{Name="PasswordExpirationDate"; Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}} |
Where-Object { $_.PasswordExpirationDate -ne $null -and $_.PasswordExpirationDate -gt [datetime]::FromFileTime(0) }|
Sort-Object PasswordExpirationDate

get-password-expiration-using-powershelll-in-ad

4. How to enable password expiry notification in Active Directory?

In large organizations, manually tracking users with soon-to-expire passwords and notifying them to reset is a tedious process. Imagine the time spent tracking password expirations, finding soon-to-expire accounts, and sending reminders individually.

As a workaround, Active Directory provides password expiry notifications. This alerts users about upcoming password expirations, allowing them to update their passwords on time.

Set password expiry reminder in Active Directory

Open Group Policy Management in Server Manager, right click on Default Domain Policy, and select Edit.
Double-click the Interactive logon : Prompt user to change password before expiration policy.
Select Define the policy setting check box and specify the number of days in advance the user will be notified of password expiration.
Click Apply and then click OK.

When users log in during the password expiration period, they will see a notification like the one below, warning that their password is about to expire. This alerts users to update it promptly or contact you before they are locked out.

However, if a user does not log in during the specified password expiry alert period due to any reason, they will miss the notification and risk being locked out. This is where native alerts can fail.

Go beyond native Active Directory password expiry alerts with AdminDroid!

Use pre-built password expiry reminder to email users and selected admins or helpdesk staff via email. This ensures that password expiry notifications are delivered even if someone misses the login alert.
You can also schedule daily follow-ups until the password is updated to ensure successful password reset.

password-expiry-reminders-active-directory