Passwords are an essential part of data privacy and security and this is why all organizations have a stringent policy for managing them.
A report by Yubico shows that 69% of respondents share passwords with colleagues to give them access and 51% of respondents reuse passwords across many accounts, thereby opening security loopholes.
Such risky behavior make it necessary for organizations to enforce a password expiration policy that includes the minimum length of passwords, the minimum and maximum age, and its complexity.
This article will explain the password expiration date and how to manage the same for Active directory users.
What is Password Expiration Date?
Password expiration date is a policy through which an organization requires its employees to change their password(s) after a certain number of days.
The domain password policy will have a Minimum and Maximum age for every password and you can tweak it to meet your organization’s needs.
There are many reasons for having a set number of days for a password.
First off, all passwords are stored in encrypted form, so it takes a certain time for hackers to crack into these passwords.
Depending on the strength of the encryption, the organization can choose the maximum age for a password.
Also, this policy will serve as a reminder to users to protect their password and avoid sharing it with others.
Now that you know why password expiration is necessary, let’s see how you can view it for a single, as well as, for all the users in your AD.
Displaying the Password Expiration Date for a Single User
The easiest way to view the password expiration date for a single user is through a built-in Windows command called Net User.
This command is used to add, remove, or modify the details of a user account, and is typically used in the command prompt.
So, open your command prompt and type the following command to know the details for a single user:
Net user username / domain
This command should display all the relevant details of a user such as the last password, expiration date, access, group membership, and more.
If you find this cumbersome, you can always look at free tools like SolarWinds Admin Bundle for AD that will give you all this information through an intuitive GUI.
Next, we’ll see how you can get this information for all AD users.
Displaying the Password Expiration Date for all AD Users
The easiest way to get this information is through PowerShell, but you should have the AD module installed.
Another option is to use RSAT tools.
The command you should use to get this information is available in the Microsoft blog and it is shown here for your reference.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
And here is the sample output.
You can export this information to a .CSV file by simply appending the “export-csv” command at the end like this:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | export-csv FILEPATH Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
And that’s it! You’re good to analyze these password expiration dates or update the policy to meet your organization’s security requirements.
ManageEngine ADSelfService Plus – FREE TRIAL
You can save time on password policy creation and user credentials management by installing an automated tool. An example of such as system is ManageEngine ADSelfService Plus. This system provides a password manager that interfaces with all of your AD domain controllers, including those that operate for cloud services such as Microsoft 365 and Google Workspaces.
This tool supports your creation of a secure password policy and then enforces it. You can also impose a multi-factor authentication requirement through this system. The software package includes a single sign-on portal for users that includes a password reset request service. The rests are managed automatically by ADSelfService Plus without the need for technician intervention.
The best way to understand systems that specialize in password management is to access the ADSelfService Plus 30-day free trial.