Active Directory is one of the most popular ways to handle user-related activities within an organization, including adding new employees, authentication, streamlining access to apps, deletion of past employee records, modifying access, and more.
While handling these varied aspects of user management, network administrators may also face some issues or inconveniences. Though they are a part of the tool to provide an additional security layer or streamline authentication, they can still require extra effort from the administrators.
One such issue is password expiration.
What is Password Expiration?
Users are prompted to change their passwords once every few days, depending on the organization’s security policies. For example, some organizations may require users to change their passwords once every 14 days, but others may provide a longer time, say 90 days.
This password change is essential from a security standpoint to prevent hackers from gaining access to the corporate network through a compromised password.
How is Password Expiration Handled in Active Directory?
In Active Directory, the account will not be locked if a user’s password expires. Instead, the user will be prompted to change the password, and the new one must follow the password rules established by the organization based on its security policies.
Without changing the password, users will not be given access to the resources within the organization, thereby forcing them to effect the change.
The domain policy of an organization has two fields called Minimum and Maximum. As you have guessed, this represents the minimum and the maximum number of days respectively that a password can be used. Often, the minimum is one day, while the maximum can be any number, depending on the organization’s security policy and encryption methods.
From a user’s standpoint, this can cause inconvenience. Imagine when a user is in a hurry and wants to access a vital resource; the last thing they would like is a password change!
To avoid such scenarios, some companies proactively have an automated setup that informs users a day or week (depending on the configuration) before the password expires, so the same can be changed at one’s convenience.
Identifying the Password Expiration Date for a Single User
The first step to informing users is to know the password expiration date, and this can be found easily using a built-in Windows command called Net user. This command comes in handy to add, remove, or even make access and privilege changes to user and computer accounts.
The command is:
Net user username/domain
It also provides additional details such as the last password, status of the account, date of password change, group membership, and all other pertinent information about a user in a specific domain.
You can use the following parameters or switches to get the required information.
- Username Gets the user account that can be further used for addition, deletion, and modification
- Password Assigns a password to a specific user account
- Domain You can perform the required actions on a domain
- Add Allows you to add a user account
- Delete Removes a user account
- Active (YES | NO) Activates or deactivates a user account
- Comment (text) Adds a description about the user account
- Countrycode (nnn) Adds a country code to a user account
- Expires (Date | Never) Allows you to determine when an account must expire. If you choose a date, it has to be in mm/dd/yy or mm/dd/yyyy format
- Fullname (name) Allows you to add a full name to a user account. Make sure to enclose the full name in quotes.
- Homedir (pathname) Sets the user’s home directory path
- Passwordchg (Yes | No) Specifies whether the user can change their password
- Passwordreq (Yes | No) Specifies whether the user requires a password or not
The image below gives a glimpse of how these options can be used.
Identifying the Password Expiration Date for all AD Users
In the real world, you are more likely to see the password expiration date for all AD users, or instead write a script that will get this information and send reminder emails to users accordingly.
There are many ways to get this information. For example, you can use built-in RSAT tools or the PowerShell command for the same.
If you decide to use PowerShell, this command can get you the password expiration date for all AD users.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
This command will display the password expiration date for all the users in your domain, and you can send it to a script for further processing. Alternatively, you can also export these details to a CSV file with this code snippet.
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | export-csv FILEPATH Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Thus, this is how you manually find the password expiration dates for one or all users in your AD domain and process it the way you want.
Tools and Utilities
Though PowerShell commands are commonly used, they are not the most intuitive ways to get the information you need. In addition, it becomes even more challenging for people who are not tech-savvy and are not used to command prompts.
The good news is there are alternatives in the form of third-party tools, so we’ll talk about some of the more popular ones to give you an idea of what they can do for you.
Here is our list of the best methods to find password expiration for Active Directory user:
- SolarWinds Admin Bundle for Active Directory – FREE TOOL This suite of tools is designed to help manage your Active Directory and its users through a well-designed user interface.
- ManageEngine ADSelfService Plus – FREE TRIAL A portal that allows users to manage their own passwords and removes the need for technician intervention. Runs on Windows Server.
- Lepide Data Security Platform This tool has password management capabilities to send automated expiration reminders to users.
- ManageEngine’s Password Expiration Notifier Tool Helps you notify an unlimited number of users about password change and account status.
Here’s a deep dive into these tools.
1. SolarWinds Admin Bundle for Active Directory – FREE TOOL
SolarWinds Admin Bundle for Active Directory is a suite of tools that help manage your Active Directory, including adding, modifying, and deleting users through a simple user interface.
It consists of three tools: Inactive User Account Removal Tool, Inactive Computer Removal Tool, and the User Import Tool.
Key Features
The features of SolarWinds Admin Bundle for Active Directory are:
- Supports monitoring across multiple vendors
- Allows you to customize your AD’s topology to meet business changes
- Helps to automate and plan your capacity and the required resources
- Generates dynamic network maps
- Captures packets for further analysis
- Makes it easy to remove inactive users and computers
- Enables to import users from other systems or directories to AD
Let’s now briefly talk about using each of the three tools.
Using the Inactive User Account Removal Tool
Here’s how you can use this tool to deactivate user accounts.
- Open the tool, and on the dashboard (the default tab), you’ll find the Domain Controller, Username, and Password details.
- Click the “Test Connection” button, and it will tell you if the details you entered passed the credentials test. If yes, click the “Next” button at the right-hand bottom.
- The next page will display all the inactive accounts in your system for a specific period. You can set this date, or you can even search for detailed user accounts.
- You can select the accounts you want to remove and click the “Remove” button at the bottom of the page.
- If you want to export these details for reference, select the accounts and click the “Export” button at the bottom. In the pop-up, choose the fields you want to export and the file’s name and path. If the file you mentioned doesn’t exist, a new file is automatically created.
Using the Inactive Computer Account Removal Tool
The interface and details are precisely similar to the user account removal tool, except that the list of values you see will be computer and not user accounts. Follow the exact procedure to remove or export computer accounts.
Import Users and Enter Credential Information
As the name suggests, this tool allows you to import users.
- On the default tab of the tool, you’ll see your credentials. Above it, you’ll see an option to import users from a CSV file that contains a user’s information such as username, email address, designation, phone number, or just about any other field you want to populate on your AD.
- You can choose to create only an AD account or an AD account and an Exchange mailbox. Click the “Next” button at the right-hand bottom
- On the next page, map the custom fields from your CSV file to the fields in your AD. You also can add custom fields to your AD to match the details you have on the file.
- Click “Next,” and you’ll see a display of all the user accounts that you’re importing. You can make changes or even deselect the values. Once you’re happy with what you see, click the “Create” button at the right-hand bottom, and new users are added to your AD.
Thus, these are the three tools that come as a part of the SolarWinds Admin Bundle for AD. As you can use, it is much easier and quicker to use this tool than creating custom scripts or navigating your way through a bunch of commands on the command prompt or PowerShell console.
Why do we recommend it?
The SolarWinds Admin Bundle for Active Directory gives you three useful utilities for free. The software package runs on Windows Server, which is where you have your Active Directory implementation hosted. You can use the tool to identify inactive computers and remove them from AD, remove inactive users, and import user accounts.
Who is it recommended for?
Any business that uses Active Directory for access rights management will need this free bundle. The tool doesn’t provide any automation for account management but it lets you scan through accounts quickly and remove dead entities. So, this is an assistant to manager-driven system clean-ups.
Pros:
- A small suite of tools that add additional features to the default access control in AD
- Helps speed up routine access management tasks when on/offboarding users
- Is completely free – great for smaller environments
Cons:
- Larger networks may require more features
This tool is 100% FREE. Click here to download and start using this tool.
2. ManageEngine ADSelfService Plus – FREE TRIAL
ManageEngine ADSelfService Plus lets users change passwords and so reduces instances of account lockout due to password entry mistakes. It cuts down the amount of work that systems technicians need to do in order to support users.
Key Features
The features of ManageEngine ADSelfService Plus include:
- A web-based portal for user access that contains a directory of permitted apps and resources
- Serves user password reset requests
- A mobile app that provides the same function as the Web version
- A single sign-on environment with the user logging into the portal and getting credentials passed to apps automatically
- 2FA that allows a locked out user to prove identity and get the automated system to unlock the account
- An automated interface to Active Directory that does not require technician intervention
- Alerts for repeated failed login attempts that could indicate hacker activity
- Logging for all system access attempts
- Provides a channel to notify all users of password rotation requirements in the event of a system-wide data leak
- Creates a communication channel from technicians to individual users
- Automatically explains lockout reasons to a user
- Runs on Windows Server, AWS, or Azure
- Free version available to manage up to 50 users accounts
Why do we recommend it?
ManageEngine ADSelfService Plus is built around a user portal that lets users reset their own passwords. That feature will relieve your support team of a lot of help calls. However, that isn’t the only utility in this package. It also includes assistants for technicians to manage user accounts.
Who is it recommended for?
This is a useful package for any business that uses Active Directory for its access rights manager. Small businesses with only 50 entities in their AD domain can use the tool for free. So, this is a great service with very wide appeal. The tool is a software package for Windows Server and it can also implement SSO and multi-factor authentication.
Pros:
- Empowers users to change their own passwords – eliminating extra tickets
- Offers a variety of password policy enforcement options
- Supports multi-factor authentication
- Syncs passwords in real-time across the cloud and on-premises AD
Cons:
- Best suited for small to medium-sized helpdesk teams
Pricing ranges from Free at $0, to Standard at $595, and Professional at $1,195. Access a 30-day free trial.
3. Lepide Data Security Platform
Lepide Data Security Platform is a comprehensive tool for streamlining access and managing passwords. It also provides comprehensive organization-wide insights and helps to stay on top of security vulnerabilities.
Key Features
The features of Lepide Data Security Platform are:
- Allows you to have users with passwords that never expire. Also, it generates reports of such users to reduce the possibility of an insider or outsider attack
- Automates the process of sending password reminders, so your IT team can focus on other areas of work
- Sends follow-up notifications if users fail to change their password
- Works well on cloud, on-prem, and hybrid environments
- Generates comprehensive reports about any aspect of user management and passwords within seconds. The pre-defined templates of this tool quicken this process as well
- These reports can be emailed to the concerned people or can be exported to a variety of formats
- Audits changes and reports anomalies
- Tracks the changes made to critical assets
- Comes with hundreds of threat models designed to mimic a wide range of real-time threats, so the same can be mitigated at the earliest
- Spots excessive permissions to user accounts
- Governs data access, including who has access to sensitive and classified data
- Removes false positivity with its proximity scanning technology
Why do we recommend it?
Lepide Data Security Platform is a service that documents systems for compliance and better system management. Part of that platform’s services include Active Directory management tools. This package can help you track and clean up your cloud-based AD instances as well as your on-premises system.
Who is it recommended for?
Lepide’s tools are particularly appealing for companies that need to provide compliance reporting for data security standards. Automated scanning for Active Directory will identify account permission changes and reverse them. So, this is a very important security tool as well as an admin assistant.
Pros:
- A simple way to see the last login, name, and CN path of multiple accounts at once
- Can quickly create CSVs or HTML format reports
- Supports bulk AD objects changes
- Lightweight – doesn’t require a lot of resources
- Completely free
Cons:
- Fairly limited, similar tools allow for more functionality like bulk password changes and unlocks
Click here to request a quote. Click here for a 15-day free trial.
4. ManageEngine’s Password Expiration Notifier Tool
The Password Expiration Notifier Tool from ManageEngine is a part of the ADSelfService Plus suite, and it sends automated notifications to users about password expiration and account status changes.
Key Features
The features of ManageEngine’s Password Expiration Notifier Tool are:
- Sends notifications via email and SMS
- Notifies users based on OUs and groups
- Generates customizable email templates with attachment options
- Admins can determine when notifications must be sent
- Allows you to create a separate password policy for certain employees, especially those in the higher ranks
- Notifies not just employees but also their managers for extra accountability
- Generates reports related to password changes and account statuses
Why do we recommend it?
ManageEngine’s Password Expiration Notifier Tool is included with the ADSelfService Plus package but if you don’t want all of that bundle, you can get just this tool by itself for free. This handy tool enforces password rotation policies and notifies each user when their passwords need to be changed. You can also get the tool to notify technicians.
Who is it recommended for?
Any business that uses Active Directory could use this free tool. Companies that buy ADSelfService Plus won’t need to download this tool but for companies that don’t feel they need all of the features of that larger package, this option will be appealing.
Pros:
- Detailed reporting, can generate compliance reports for all major standards (PCI, HIPAA, etc)
- Supports multiple domains
- Supports delegation for NOC or helpdesk teams
- Allows you to visually view share permissions and the details of security groups
Cons:
- Is a comprehensive platform that takes time to fully explore
Pricing is 100% FREE. Click here to download the tool.
Conclusion
To conclude, changing passwords is considered a good security practice as it reduces the chances of a hacker entering a network through a compromised password. However, from an implementation standpoint, it can get arduous and cumbersome for network administrators.
While PowerShell commands help identify the password expiration for a single or all users on AD, it requires technical expertise, besides a reasonable amount of time and effort.
An easier option is to use third-party tools like SolarWinds Admin Bundle for Active Directory, as you can manage user accounts, set up automated password reminders, and more through its intuitive user interface.
Find Password Expiration for AD User FAQs
How can password expiration be configured for Active Directory users?
Password expiration can be configured using Group Policy settings in Active Directory. This allows administrators to set the password age, maximum password age, and other password-related policies for all users in the domain.
What is the default password expiration policy in Active Directory?
The default password expiration policy in Active Directory is set to 42 days. However, this can be changed by administrators to suit their security requirements.
What happens when a user's password expires?
When a user's password expires, they will be prompted to create a new password the next time they log in. This is intended to ensure that the user's account remains secure.
How can users be notified when their password is about to expire?
Users can be notified when their password is about to expire using Group Policy settings in Active Directory. This can be configured to send email notifications or display warning messages on the user's computer.
Can password expiration be disabled in Active Directory?
Yes, password expiration can be disabled in Active Directory. However, this is generally not recommended as it can compromise the security of the network.
What are some best practices for password expiration in Active Directory?
Best practices for password expiration in Active Directory include setting a reasonable maximum password age, requiring complex passwords, and using two-factor authentication to further enhance security.
How can administrators enforce password expiration policies for remote users?
Administrators can enforce password expiration policies for remote users by configuring VPN and Remote Access policies to require users to change their passwords regularly.
What are some common problems associated with password expiration policies?
Common problems associated with password expiration policies include user frustration with having to change their password frequently, and users forgetting their passwords due to having to remember multiple passwords for different applications.
How can password expiration policies be managed for a large number of users?
Password expiration policies can be managed for a large number of users using Group Policy settings, scripts, and other automation tools.
What is the role of password expiration in compliance regulations such as HIPAA and PCI DSS?
Password expiration is often a requirement of compliance regulations such as HIPAA and PCI DSS, as it is considered a best practice for securing sensitive information and preventing unauthorized access.
Can third-party tools be used to manage password expiration policies in Active Directory?
Yes, there are many third-party tools available that can be used to manage password expiration policies in Active Directory. These tools provide additional features and functionality beyond what is available in the built-in Group Policy settings.
