Find Expired User Passwords on Server 2003 R2 Domain


I am in need of help finding users accounts who's password is or will be expiring.  Many of my users are remote (mobile devices) and do not log into a workstation on the domain and do not get a indication their password will be expiring.  My domain controller is a Windows Server 2003 R2 SP2 install.  I have experience with Group Policy, but little with Power Shell and scripts.

Thank you for your time in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

This link shows a vbscript that will do more than what you're looking for, so you'll want to trim it back.

Basically, the script (as it is in that example) will find users within a 14 day expiration period and generate an email to them.  You may not need to notify them via email, so that part is up to you.  The 14 day trigger point will be your notification that an account is within that 14 day period (that is configurable).

Let us know if you need help adjusting any of the code!
Prashant GirennavarCommented:
Check this link

For 2003/2008 use Quest PowerShell AD modules from

Check this as well Download the tool & run the query.

FindExpAcc.exe -pwd >c:\pwd.csv

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

hmedmeAuthor Commented:
Thanks for all the responses.  I will get back to this thread with results ASAP.

Thanks again.
hmedmeAuthor Commented:
Ok, I decided on giving Quest ActiveRoles Management Shell as shot as has other commands I can use.  I tried running the following but it returns no results.

Get-QADUser -AccountExpiresBefore "December 31, 2013"
Get-QADUser -AccountExpiresBefore "September 14, 2014"

The following command does return results:

Get-QADUser -CreatedAfter "January 1, 2009"

hmedmeAuthor Commented:
I think this nailed it:

Get-QADUser -Name * | select givenName,sn,name,PasswordExpires

Thank you all for your help.  Excellent range of answers and angles.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.