One-Liner: Get a List of AD Users Password Expiry Dates

All good things come to an end.

Rivers run their course, curtains fall and… passwords expire. We have epilogues, codas and an Active Directory constructed attribute named msDS-UserPasswordExpiryTimeComputed.

 How can we use that attribute to get a list of enabled Active Directory accounts and their password expiry times?


Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |

Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}




Here’s some sample output:


The end.

Comments (48)
  1. Alice.walker says:

    Thanks for creating the PowerShell script, But I tried this Lepide User Password Expiration Reminder Tool ( ) that provides a way of making the account adhere without causing the account to expire immediately and automate password management
    without help desk calls and get the complete status reports in HTML , PDF and in CSV files format on users whose active directory password is soon to expire .

  2. Anonymous says:

    Nice one…Thanks for Sharing…IMHO This should be a default in the UI

  3. Add "-Server YOURDOMAINNAME" as an additional parameter of the Get-ADUser cmdlet.

    The end?

  4. Great stuff says:


  5. Tony G says:

    This returns a date/time with a year of 1600. Why not just detect the max password age and add it to PasswordLastSet? Like so:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", `

  6. Bryan says:

    Tony your syntax doesn’t work. Should be:

    $maxPasswordAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.Days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties * |
    Select-Object -Property "Displayname", @{n="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}}

    After running that, the ones that showed a year of 1600 will now just not show any date. I think what you’re picking up there are shared mailboxes and/or replicated contacts.

  7. mike says:

    but how can i use this in magento

  8. Martin says:


  9. Dan_IT says:

    Bryan, with your alterations, the script works great! How might I be able to alter the script to only display accounts whose passwords will expire within 7 days?

  10. Jessica3 says:

    Here’s a script for only selecting accounts that will expire in 7 days (should be a quick edit to get within 7 days instead):

    #get max password age policy

    #expiring in 7 days

    Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False -and PasswordLastSet -gt 0} –Properties * | where {($_.PasswordLastSet).ToShortDateString() -eq $7days} | select *

  11. Alessandro says:

    Users with Expiring date set to 1600 are those disabled

  12. Dr.Jones says:

    You could also make it the way i’ve done. I added it to my powershell profile, using function get-passexpiry ($user). This way you only need to ask it for one particular user’s password expiry information. a-la
    function get-passexpiry ($user)
    Use to get information about a target user.
    Lists the users user ID to check you have the right user. Also lists whether the password is expired right now (Boolean value), when the password was last set, and if the password is set to never expire (Boolean Value). Password expiry date is not a retrievable
    value from Active Directory. Requires the NAME of the user, in speech marks.
    get-passexpiry "ann onymous"
    write-host "Connecting to Active Directory."
    $maxPasswordAge = (get-addefaultdomainpasswordpolicy).MaxPasswordAge.Days
    $usercheck = get-aduser -filter ‘name -eq $user’
    if($usercheck -eq $null)
    write-warning -message "Specified user does not exist."
    get-aduser -filter ‘name -eq $user’ -properties Passwordexpired,passwordlastset,passwordneverexpires | select samaccountname,Passwordexpired,passwordlastset,passwordneverexpires,@{l="ExpiryDate";e={$_.PasswordLastSet.AddDays($maxPasswordAge)}} | format-list
    $errormessage = $_.exception.message
    if ($errormessage -like ‘*is not defined*’) {write-warning "D’oh. You forgot to specify a user."}

    This function shows you a true/false reading of if their password has expired, and whether their password is set to never expire. it also shows the date/time they last changed their password, and confirms the UPN of the user, to make sure you’re looking at
    the right user (in the case of similar names). It also warns if you’ve left the name field blank, or if that particular name doesn’t exist in the system. Thanks to you guys for showing me how to find the password expiry date! A very useful addition to my script.

  13. iliyas ali says:

    Karnga bada

  14. Martin Horwood says:

    Great script, added the searchbase filters and exported to HTML for OU specific reports

  15. Debabrata says:

    I want to run the PasswordExpiryTimeComputed on a perticular domain.

  16. Bgone says:

    I want to run the PasswordExpiryTimeComputed on a particular domain. Does anyone could help with full script

  17. Minister says:

    @Bgone That’s a matter of context. You need to run the script on the domain you want the information from.

  18. adam says:

    This is great, thanks!!!

  19. cari says:

    and where do I use this script? in the ad module for windows powershell? sorry not knowledgble

  20. daro says:

    I’ve wrote an article on this that does not require use of powershell. Take a loog at:

  21. Ekramy Elnaggar says:

    the users with password expiration date like “1/1/1601 1:00:00 AM” , such users are the users that never set their passwords , you can check this from the attribute "pwdLastSet" , also you will find that the "user must change password at next logon" checkbox
    is checked.

  22. ayaaz says:

    Could you please advise what n= and e= in your script represent and explain what they are e.g. variables
    tried figuring it out and looking it up but im having no luck

  23. Kermit T. Frog says:

    I consider myself an advanced Excel user, but for some strange reason, I cannot get the data_time stuff to be anything but text in Excel. Anyone that can help me get past this mental block gets a lollipop.

  24. Baggio says:

    Could someone help me with the following. I need a Powershell script that set: Password must change @ next logon if the password expires in 1 day. Thanks in advice!

  25. Mark says:

    Great work, where did you find? "msDS-UserPasswordExpiryTimeComputed"

  26. @Mark – it’s a constructed attribute:

    Get-ADObject -SearchBase "CN=Schema,CN=Configuration,dc=fabrikam,dc=COM" -ldapfilter ‘(systemFlags:1.2.840.113556.1.4.803:=4)’ -Properties systemFlags

  27. Rune3 says:

    Great post Ian!

    Came across this as I was looking for a more verbose way to alert the users with expiring passwords (the Win7+ popup on the taskbar can easily be overlooked).
    I prefer your "msDS-UserPasswordExpiryTimeComputed" over the other scripted suggestions in here. Why? It’s the only way to tell the real expiry time when you have Fine Grained password policies in place.
    Thanks for sharing!

  28. Mohammd asif nagori says:

    Mohammd asif nagori

  29. Chris says:

    hi i was wondering if anyone knew a command that i could look for accounts with passwords 91 days old and disable them.

    thank you very much 🙂

  30. Jason P says:

    Nominating this for ‘Longest ‘One-Liner’ Award’.
    Very nice. Thank you!

  31. New User says:

    Can someone please supply the script to find and delete all users whose account been expired for 30 days.Thanks

  32. Frank says:

    in the AD you have "Saved queries" here you can make a querie 90 days not signed in, this list you can select to "disable"

  33. charles says:

    You can also use it to send notifications to users before thier passwords expire via email/SMS, which is superuseful as users are aware that they need to change password:

  34. Vlad says:

    Thank you Ian.

  35. David - Royal IT says:

    Perfect blog – short, sharp and humorous – well done.

  36. Dzung Dze says:

    one of the BEST one-liner I have ever stumbled upon. Excellent work and thank you !!!

  37. W says:

    Thanks! It worked great.

  38. Stojko says:

    If you need this info for only one user, isn’t it easier with net user

  39. Chad says:

    So what if you only wanted people whose account is going to expire in X days?

  40. lethargos says:

    On my Windows Server 2012 it doesn’t work. For most users it shows 1/1/1601 (there’s only one user whose real expiration date is displayed, don’t know why that is).

  41. lethargos says:

    Sorry, I got a little bit ahead of myself. It does work after running powershell with admin rights 🙂
    Not a bad script. Thank you.

  42. charles says:

    Is the result of the script you wrote and “net user account | findstr expire” match the result of this command?

  43. Thanks Ian! Your one liner was usefull for me today 🙂

  44. Frank R says:

    Add this pipe to export to .csv
    | Export-CSV c:\Tech\AD.csv

    Also, you can change the False to True to show accounts set to not expire.

    Thanks Ian!!!

  45. Ray McGinnes says:

    how can a password I have been using become out of date?

  46. Kuntal Ghosh says:

    Awesome.. It works

  47. MrWizard77 says:

    I am trying to run something similar against an AD group. This is the script I am using. The users are displayed but not the ExipryDate. Any help would be greatly appreciated.

    $group1 = Get-ADGroupMember “Service_Accounts_180_day”
    foreach ($user in $group1) {Get-ADUser -Filter {Name -eq $} -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed | Select Name,@{Name=”ExpiryDate”;Expression={[dateime]::FromFileTime(“$_.msDS-UserPasswordExpiryTimeComputed”)}}}

Comments are closed.

Skip to main content