Windows OS Hub
  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux
  • Home
  • About

Windows OS Hub

  • Windows
    • Windows 11
    • Windows Server 2022
    • Windows 10
    • Windows Server 2019
    • Windows Server 2016
  • Microsoft
    • Active Directory (AD DS)
    • Group Policies (GPOs)
    • Exchange Server
    • Azure and Microsoft 365
    • Microsoft Office
  • Virtualization
    • VMware
    • Hyper-V
  • PowerShell
  • Linux

 Windows OS Hub / Active Directory / Configuring Password Expiration Notifications for AD Users

October 11, 2024

Configuring Password Expiration Notifications for AD Users

Although Microsoft has removed the requirement to periodically change user passwords from its security baselines, most on-premises Active Directory domains have a policy that specifies the maximum age of a user’s password. Users often forget to change their expired passwords in time, resulting in unnecessary calls to IT support.

In this article, we’ll look at how to find out when a user account password on a domain will expire, and how to remind the user in advance that they need to change their password.

Contents:
  • How to Get the User Password Expiration Date in Active Directory
  • Enable Active Directory Password Expiration Notification Policy
  • Show a Password Expiration Pop-up Notification with PowerShell
  • Send Account Expiration Email Notifications with PowerShell

How to Get the User Password Expiration Date in Active Directory

The AD domain password policy settings determine the expiration date of a user’s password in a domain. To find the current settings of a domain’s password expiration policy, run the PowerShell command:

Get-ADDefaultDomainPasswordPolicy|select MaxPasswordAge

In this example, the maximum age of user passwords in the domain is 60 days.

powershell: Get-ADDefaultDomainPasswordPolicy|select MaxPasswordAge

In addition, the Fine-Grained Password policy can be used (optionally) to enable custom password expiration settings for some AD users and groups.

The user properties in Active Directory only have the pwdLastSet attribute, which contains the date of the last password change (can be viewed in the ADUC console (dsa.msc)-> AD Attribute Editor tab).

pwdlastset value in user properties ADUC

You can find out the expiration date of a user’s password in a domain using PowerShell (requires the AD PowerShell module), which allows getting the value of the msDS-UserPasswordExpiryTimeComputed attribute. The msDS-UserPasswordExpiryTimeComputed is a constructed attribute whose value is automatically calculated based on the date of the last password change and the domain password policy settings.

Get-ADUser -Identity jsmith -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet, PasswordNeverExpires, PasswordExpired |Select-Object -Property Name,PasswordLastSet, PasswordNeverExpires, PasswordExpired,@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

msDS-UserPasswordExpiryTimeComputed shows when ad user password will expire

The cmdlet returns the values of the following attributes:

  • PasswordLastSet — time of last password change;
  • PasswordNeverExpires – returns True if the user’s password is set to Never Expire. This is one of the bit values of the UserAccountControl attribute;
  • PasswordExpired – returns True if the user’s password has expired;
  • ExpiryDate – the password expiry date.

List all users from a specific AD container (Organisational Unit) whose passwords have expired:

$Users = Get-ADUser -SearchBase 'OU=Users,OU=NewYork,DC=woshub,DC=com' -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, PasswordLastSet
$Users | select Name, @{Name="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, PasswordLastSet | where ExpirationDate -lt (Get-Date)

PowerShell: list AD users with expired passwords

If the value of msDS-UserPasswordExpiryTimeComputed is 0, it means that pwdLastSet is empty (null) or equal to 0 (the password has never been changed).

Enable Active Directory Password Expiration Notification Policy

If you want to notify Active Directory users when they need to change their password, you can enable a separate Group Policy option in Windows.

The Interactive logon: Prompt user to change password before expiration policy is located in the GPO section: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options.

Group Policy parameter: Interactive logon: Prompt user to change password before expiration

This policy is enabled by default in the local Group Policy settings (gpedit.msc). Notifications will start to appear 5 days before the password expires.

Once this policy is enabled, when a user’s password expires, a notification to change the password will appear in the system tray every time the user logs on to Windows. You can change the number of days before users see a password change notification.

Consider changing your password
Your password will expire in xx days.

consider changing password expiration popup notification on windows

However, this message appears for a few seconds and is often ignored by users. Therefore, you can configure an additional pop-up notification for users when they need to change their password.

Show a Password Expiration Pop-up Notification with PowerShell

The following PowerShell script displays a pop-up message that prompts you to change your password if it expires in less than 5 days:

$DaysLeft = 5
try{
Add-Type -AssemblyName PresentationCore,PresentationFramework,WindowsBase,system.windows.forms
} catch {
Throw "Failed to load Windows Presentation Framework assemblies."
}
$curruser= Get-ADUser -Identity $env:username -Properties 'msDS-UserPasswordExpiryTimeComputed','PasswordNeverExpires'
if ( -not $curruser.'PasswordNeverExpires') {
$timediff=(new-timespan -start (get-date) -end ([datetime]::FromFileTime($curruser."msDS-UserPasswordExpiryTimeComputed"))).Days
if ($timediff -lt $DaysLeft) {
$msgBoxInput = [System.Windows.MessageBox]::Show("Your password will expire in "+ $timediff + " days!`nDoyou want to change it now?","Important!","YesNo","Warning")
switch ($msgBoxInput) {
'Yes' {
$Console = quser | Select-String -Pattern ">"| Select-String -Pattern "console" -Quiet
if ( $Console ) {
Start-Process -FilePath powershell -ArgumentList "-command Set-ADAccountPassword -Identity $env:username ; pause"
}
else {
cmd /c "C:\Windows\explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"
}
}
'No' { }
}
}
}

The script requires the AD module for PowerShell to be installed on users’ computers. It can be used even if RSAT is not installed.  See: Using the AD module without installing RSAT.

password expiration reminder using PowerShell

If there are less than 5 days left before the password expires, the script will prompt the user to change the password. If the user clicks Yes, a check is made to see if the user is logged on at the computer console or remotely:

  • If RDP sessions are detected, the user will see the Windows Security change password prompt, which can be accessed by pressing Ctrl+Alt+Del or Ctrl+Alt+End (used to change the password in an RDP session). change user password from windows security screen
  • If the user is logged on locally (console session), the Set-ADAccountPassword cmdlet prompts you to change the password. Set-ADAccountPassword - change current user password prompt

Schedule this PowerShell script to run through the Task Scheduler or run as a GPO logon script.

This only works on computers that have joined an Active Directory domain. If a user is connecting to a domain via VPN or using some type of web client (such as OWA), they will not see a notification that their password is about to expire. In this case, you can email users when their password expires.

Send Account Expiration Email Notifications with PowerShell

If you want to notify users by sending them an e-mail when their password is about to expire, you can use this PowerShell script:

$Sender = "[email protected]"
$Subject = 'Important! Your password is about to expire!'
$BodyTxt1 = 'Your password for'
$BodyTxt2 = 'expires in '
$BodyTxt3 = 'days. Remember to change your password in advance. Contact the HelpDesk if you have any questions'
$smtpserver ="smtp.woshub.com"
$warnDays = (get-date).adddays(7)
$2Day = get-date
$Users = Get-ADUser -SearchBase 'OU=Users,OU=NewYork,DC=woshub,DC=com' -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties msDS-UserPasswordExpiryTimeComputed, EmailAddress, Name | select Name, @{Name ="ExpirationDate";Expression= {[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}, EmailAddress
foreach ($user in $users) {
if (($user.ExpirationDate -lt $warnDays) -and ($2Day -lt $user.ExpirationDate) ) {
$lastdays = ( $user.ExpirationDate -$2Day).days
$EmailBody = $BodyTxt1, $user.name, $BodyTxt2, $lastdays, $BodyTxt3 -join ' '
Send-MailMessage -To $user.EmailAddress -From $Sender -SmtpServer $smtpserver -Subject $Subject -Body $EmailBody
}
}

The Send-MailMessage cmdlet has an -Attachment parameter. It allows you to attach a file to an email with instructions on how a user can change a password in your corporate environment.

The script finds all active domain users whose passwords are about to expire. In the 7 days before the password expires, a user will begin to receive emails sent to the address specified in the AD. Emails will continue to be sent until the password is changed or expires.

Run this PowerShell script regularly on any computer/server in your domain (it is easier to do it with the Task Scheduler). In this example, we don’t use SMTP authentication in the script. So should add this host IP to the list of allowed senders on your SMTP server to allow email to be sent without authentication.

By slightly modifying the script, you can send the password expiration notification directly to the user’s messenger.

  • Send Telegram Messages from PowerShell
  • Sending a Message to Teams Chats with PowerShell

5 comments
5
Facebook Twitter Google + Pinterest
Active DirectoryGroup PoliciesPowerShellWindows 10Windows 11Windows Server 2022
previous post
Compress, Defrag and Optimize MariaDB/MySQL Database
next post
How to Detect Who Deleted a File on Windows Server with Audit Policy

Related Reading

How to Refresh (Update) Group Policy Settings on...

August 13, 2024

Get-ADDomainController: Getting Domain Controllers Info via PowerShell

July 8, 2022

Repairing the Domain Trust Relationship Between Workstation and...

May 16, 2024

Backing Up Active Directory with Windows Server Backup

November 26, 2024

Unable to Access SYSVOL and NETLOGON folders from...

May 10, 2023

Updating Group Policy Administrative Templates (ADMX)

January 24, 2025

Generating Strong Random Password with PowerShell

January 31, 2020

Configuring Password Policy in Active Directory Domain

March 12, 2024

5 comments

Wayne March 10, 2021 - 4:43 pm

Hi, I tried your PowerShell script that automatically shows a dialog window with the prompt to change a password if it expires in less than 5 days: I change it from 5 days to 10 days and notify the user’s password to expire in 153470 days?

Can you help me with this. we struggle with VPN users changing their passwords.

Reply
Erik March 25, 2021 - 1:09 pm

Same problem as Wayne

Reply
Sumaya Khan October 26, 2021 - 11:16 am

these password reset notification alert stay for 5second only, how can we make this notification stay longer? how do we enable on server end to let this notification stay longer

Reply
admin October 26, 2021 - 11:25 am

Are you talking about the “Interactive Logon: Prompt user to change password before expiration” policy?
I do not think that’s possible. You can use email notifications instead.

Reply
Sean March 8, 2022 - 5:54 pm

should cmd /c “explorer shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}” work on Windows 10?
I dont see the cntl alt del screen

Reply

Leave a Comment Cancel Reply

join us telegram channel https://t.me/woshub
Join WindowsHub Telegram channel to get the latest updates!

Recent Posts

  • Map a Network Drive over SSH (SSHFS) in Windows

    May 13, 2025
  • Configure NTP Time Source for Active Directory Domain

    May 6, 2025
  • Cannot Install Network Adapter Drivers on Windows Server

    April 29, 2025
  • Change BIOS from Legacy to UEFI without Reinstalling Windows

    April 21, 2025
  • How to Prefer IPv4 over IPv6 in Windows Networks

    April 9, 2025
  • Load Drivers from WinPE or Recovery CMD

    March 26, 2025
  • How to Block Common (Weak) Passwords in Active Directory

    March 25, 2025
  • Fix: The referenced assembly could not be found error (0x80073701) on Windows

    March 17, 2025
  • Exclude a Specific User or Computer from Group Policy

    March 12, 2025
  • AD Domain Join: Computer Account Re-use Blocked

    March 11, 2025

Follow us

  • Facebook
  • Twitter
  • Telegram
Popular Posts
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Using WMI Filters to Target Group Policies in Active Directory
  • Using Managed Service Accounts (MSA and gMSA) in Active Directory
  • How to Set a User Thumbnail Photo in Active Directory
  • Set Desktop Wallpaper and Logon Screen Background via Group Policy
  • Restoring Active Directory Domain Controller from a Backup
Footer Logo

@2014 - 2024 - Windows OS Hub. All about operating systems for sysadmins


Back To Top