How to Get Notified of an Expired Password in Active Directory with PowerShell

This article will go over how to write a script to read all users’ last expired password and detect the time it will expire. It will then send an email.

Passwords aren’t the most secure way to protect information these days but still are used nearly everywhere you look. IT professionals in the enterprise sector may potentially manage tens or hundreds of thousands of these passwords for their users. It’s important to ensure each employee knows their password and can successfully sign in to do their work, otherwise the work stops.

There are a couple of reasons why an employee might not be able to sign in due to password problems. The first and probably most common reason is the case of password amnesia. They just forget their password in which case a simple password reset is all it takes to get them back up and going again. Another common reason is an expired password. You can’t be prepared for the former, but it’s easy to be prepared for the latter.

Most organizations have a password policy that limit the amount of time a password can be used. This is a great security practice but as the saying goes “Security is the enemy of usability” sometimes doesn’t bode well for the user’s productivity. Employees are busy people and changing a password is one of the lowest priorities on their To-Do list. However, it’s a critical task that must be done to ensure a secure Active Directory environment. How do you attempt to get users to change their passwords before their work is interrupted when the password gets expired? Send them an email.

In Active Directory, if a password policy is set to expire passwords on a specific interval then each user account will have an attribute called pwdLastSet. This is an attribute that specifies the date and time the user’s password was last changed. In order to send a user an email when their password is about ready to expire, we must do some math. Don’t worry, it’s not calculus. The pwdLastSet attribute is nice but doesn’t tell us when the password will actually expire. We need to know how the password policy is configured.

Let’s use PowerShell to find all of these user accounts that have a password that is about ready to expire and then email them. To start, we’ll need to have the Remote Server Administration Tools (RSAT) package installed. This includes Microsoft’s Active Directory PowerShell module that will contain all of the command to query Active Directory. Once that is installed you should now have all of the Active Directory cmdlets available to you in your PowerShell console.

The first task is finding the pwdLastSet attribute on the user accounts. When using the Active Directory module, this attribute has a friendly name called PasswordLastSet.

1

You can see I only have a few user accounts and the time their password was last set. Now that I have that attribute, I now need to figure out how the password policy is configured. I need to find how much time will pass until Active Directory expires the password. To do this, I’ll use the Get-AdDefaultDomainPasswordPolicy cmdlet.

2

You can see from the example above the maximum time a password can be used is 42 days. We now have the last time each user’s password was changed and the amount of time that will pass after those dates for the passwords to expire. We now need to find out how many more days must pass until each of these passwords will expire. You can see in the screenshot that three of these user accounts’ passwords will expire in 41 days.

3

Now that you have this information, your script can then email these users letting them know that their passwords will expire in X number of days, amongst other things.

The method to bring all this functionality together is more complicated than what a simple article can produce. I’ve created a prebuilt script that will suffice for your users to get notified of Active Directory password expirations.

If you’d rather not mess with the code to make all this happen in PowerShell, Netwrix Auditor has a feature called Password Expiration Alerting, which allows very similar functionality, but with an easy-to-navigate GUI and much more options. I highly recommend checking that tool out once if you need something more robust.