16

Is there a way from either the computer management console or the command line to determine when a user's password will expire?

Note: I'm asking this questions for a server that is not part of a domain.

Aheho
  • 367
  • 2
  • 5
  • 14

2 Answers2

22

This can be achieved by the DOS/Batch command

net user username

If you were on a domain you would need to add the switch /Domain. In your case, just insert the username.

This will list the most important details of that account, including the expiry date of the user password.

LumenAlbum
  • 527
  • 2
  • 5
  • 15
  • Just as additional information: You can also set the expiry date via this command, should you need to do that. See "net user /help" for all info – LumenAlbum Aug 28 '12 at 14:59
  • 1
    And a quick and dirty hack for cut and pasting, just use: net user %username% – Codek Mar 26 '15 at 09:01
  • 2
    I did net user /domain and it said "The username could not be found." Is this because of some domain security restriction or policy? – atom88 Jan 06 '17 at 21:38
7

If you're chasing the same problem I had in the past, users want better warning of when their password is going to expire, especially when they're away from a typical PC. The following is the script I run every 72 hours (3 days) to e-mail warnings.

# © 2011 Chris Stone, Beerware Licensed
# Derived from http://www.jbmurphy.com/2011/09/22/powershell © 2011 Jeffrey B. Murphy

import-module ActiveDirectory

$warningPeriod = 9
$emailAdmin = "admin@example.com"
$emailFrom = "PasswordBot." + $env:COMPUTERNAME + "@example.com"
$smtp = new-object Net.Mail.SmtpClient("mail.example.com")

$maxdays=(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge.TotalDays
$summarybody="Name `t ExpireDate `t DaysToExpire `n"

(Get-ADUser -filter {(Enabled -eq "True") -and (PasswordNeverExpires -eq "False")} -properties *) | Sort-Object pwdLastSet | foreach-object {

    $lastset=Get-Date([System.DateTime]::FromFileTimeUtc($_.pwdLastSet))
    $expires=$lastset.AddDays($maxdays).ToShortDateString()
    $daystoexpire=[math]::round((New-TimeSpan -Start $(Get-Date) -End $expires).TotalDays)
    $samname=$_.samaccountname
    $firstname=$_.GivenName

    if (($daystoexpire -le $warningPeriod) -and ($daystoexpire -gt 0)) {
        $ThereAreExpiring=$true

        $subject = "$firstname, your password expires in $daystoexpire day(s)"
        $body = "$firstname,`n`nYour password expires in $daystoexpire day(s).`nPlease press Ctrl + Alt + Del -> Change password`n`nSincerely,`n`nPassword Robot"

        $smtp.Send($emailFrom, $_.EmailAddress, $subject, $body)

        $summarybody += "$samname `t $expires `t $daystoexpire `n"
    }
}

if ($ThereAreExpiring) {
    $subject = "Expiring passwords"

    $smtp.Send($emailFrom, $emailAdmin, $subject, $summarybody)
}

Set those four configuration lines appropriately for your environment. Modify other parts as necessary.

PS may complain if the script isn't signed. I signed mine using (I have a code signing certificate):

Set-AuthenticodeSignature PasswordBot.ps1 @(Get-ChildItem cert:\CurrentUser\My -codesigning)[0]

Then I created a simple Scheduled Task, triggers every 72 hours, action is to run C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe with argument C:\Path\To\PasswordBot.ps1.

Note: The computer this script is run on must be a member of the domain, and must have the "Active Director module for Windows PowerShell" installed. You can run start /wait ocsetup ActiveDirectory-PowerShell on any server to install it, or find it in the Features list in Windows 7 (RSAT might be required, I can't remember now).

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • This seems to be an awesome script but as you point out it needs to be run on a member of the domain. However, his premise is that the server is not part of a domain. Still great script – LumenAlbum Aug 28 '12 at 15:06
  • Could this script be altered to work on a server that is not part of a domain? – Aheho Jan 21 '16 at 15:32