How to check the password expiration date?

One of the most frequent and urgent calls to the help desk is the locked account. The account lockout can occur due the different reasons. I demonstrate such situation in this post, where the user changed password in the system and not updated his own mobile phone.

Second most common reason for account lockout is the password expiration. In properly administrated systems all user’s password must expire after X amount of time. The best security practice is to change password on the regular intervals of 30 days. If this is too short for you, you can change your password on the intervals from 45 to 60 days.

I will show you a very simple trick from the command line that can show to you when your password will expire. I used this command on different Windows versions, from Windows XP and Server 2003 up to Windows 10 and Server 2012 R2.

 

The NET command

The Windows has a lot of command line tools and the command NET is one of very old command line interfaces. Actually, the NET command has a lot of subcommands and it’s very powerful when we want to obtain network related information.

We have the context NET USER where we can manipulate with user accounts either on the local machine or on the domain. We can use this command even from the batch file to work with multiple accounts in one pass.

 

Using it with the local accounts

Open the command prompt (Start > Run > cmd.exe) and type:

net user some_username

The some_username should be replaced with either your username or the username of any other user who needs to check his or hers account. In our example, that will be the local account Administrator.

Local admin

We will type:

C:\>net user administrator

We will have response similar to this one:

User name                    Administrator
Full Name
Comment                      Built-in account for administering the computer/dom
ain
User's comment
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            28.12.10 13:51
Password expires             Never
Password changeable          12.01.11 13:51
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   23.07.15 09:11

Logon hours allowed          All

Local Group Memberships      *Administrators
Global Group memberships     *None
The command completed successfully.


C:\>

We can see a lot of information about account, like the full name, a comment, the group membership, an account status and the expiration date, and so on.

Most interesting part for us is the line beginning with Password expires. There we can see the date and the time when password will be expired. Therefore, an expired password will prevent any further login to the system with this account.

However, if you’re not interested in reading a short book on the screen, you can utilize some magic and mighty tricks. We can use the output redirection and the command find. We will type this command:

C:\>net user administrator | find "Password expires"
Password expires             Never

C:\>

The command find will take the output from the command net user and filter it showing us just this one interesting row. Of course, you can replace the words between the quotation marks and extract any other information you need.

 

At the domain level

We can use same command even for the domain users. We need just to add one parameter after it. This parameter is /Domain.

Now our command for some user named User01 will be:

C:\>net user user01 /domain
The request will be processed at a domain controller for domain company.com.

User name                    user01
Full Name                    Test User #1
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            27.04.16. 16:05:08
Password expires             26.07.16. 16:05:08
Password changeable          12.05.16. 16:05:08
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   08.06.16. 12:43:21

Logon hours allowed          All

Local Group Memberships
Global Group memberships     *Domain Users         *Finance
The command completed successfully.


C:\>

As you can see, we have same output. Now we pull data from the domain controller in the domain which the workstation belongs to.

Domain account

 

We can also apply the same filter with the find command to extract just the password expiration date.

C:\>net user user01 /domain | find "Password expires"
Password expires             26.07.16. 16:05:09

C:\>

All those commands can be executed without the administrator privileges. That means that every user can check his own account status.

You can also use this command as part of some batch file. Then you will have simple yet powerful tool for the administration, as you can find status for all your users at a glance.

Advertisements

One thought on “How to check the password expiration date?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s