Avatar of hmedme
hmedme asked on

Find Expired User Passwords on Server 2003 R2 Domain


I am in need of help finding users accounts who's password is or will be expiring.  Many of my users are remote (mobile devices) and do not log into a workstation on the domain and do not get a indication their password will be expiring.  My domain controller is a Windows Server 2003 R2 SP2 install.  I have experience with Group Policy, but little with Power Shell and scripts.

Thank you for your time in advance.
Windows Server 2003Active Directory

Avatar of undefined
Last Comment

8/22/2022 - Mon

This link shows a vbscript that will do more than what you're looking for, so you'll want to trim it back.

Basically, the script (as it is in that example) will find users within a 14 day expiration period and generate an email to them.  You may not need to notify them via email, so that part is up to you.  The 14 day trigger point will be your notification that an account is within that 14 day period (that is configurable).

Let us know if you need help adjusting any of the code!
Prashant Girennavar


Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.

Thanks for all the responses.  I will get back to this thread with results ASAP.

Thanks again.

Ok, I decided on giving Quest ActiveRoles Management Shell as shot as has other commands I can use.  I tried running the following but it returns no results.

Get-QADUser -AccountExpiresBefore "December 31, 2013"
Get-QADUser -AccountExpiresBefore "September 14, 2014"

The following command does return results:

Get-QADUser -CreatedAfter "January 1, 2009"


I think this nailed it:

Get-QADUser -Name * | select givenName,sn,name,PasswordExpires

Thank you all for your help.  Excellent range of answers and angles.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.