How to Find Active Directory Accounts with Expiring Passwords

Every organization has one or more user accounts —  used for services, applications, development, kiosks, or even standard employees — which need to ensure the password changes or the account will lock. For these user accounts (which might not be used by a human), if the password is not changed by the time the password expiration hits, the account will fail to logon and prevent the associated use of the account.

The property that controls the password expiration is part of the user account object. However, that value is not displayed in any GUI related to the Active Directory Users and Computers (ADUC). It is also not a default search option if you were to try and use the Saved Queries option in ADUC. You could write a script, use PowerShell, or some LDAP query to find these objects. Or you could just use a tool that has a pre-built query and report around it!

ManageEngine’s ADManager Plus is built for just these types of requests. Figure 1 shows you what the pre-built query looks like and what options you have in narrowing down your search.

Figure 1. Searching for user accounts that have soon-to-expire passwords.

First, you can see that you can narrow down your search by selecting just the OU or OUs where you want to search for users. Next, you can change the range of days for which the password will expire.

Finally, once you get a listing of user accounts that have soon-to-expire passwords, you can change the passwords for them directly in the report.

Sure, creating a script that can find the users is a pretty easy task. However, working with the users after you get the list back from the script is not so  easy. ADManager is simple, easy, and efficient for tasks like these.


You Can Learn More About the ManageEngine Product Line By Going to

The original article/video can be found at How to Find Active Directory Accounts with Expiring Passwords

About the Author: Shannon Lewis

Leave a Reply Cancel reply