One of the most frequent and urgent calls to the help desk is the locked account. The account lockout can occur due the different reasons. I demonstrate such situation in this post, where the user changed password in the system and not updated his own mobile phone.
Second most common reason for account lockout is the password expiration. In properly administrated systems all user’s password must expire after X amount of time. The best security practice is to change password on the regular intervals of 30 days. If this is too short for you, you can change your password on the intervals from 45 to 60 days.
I will show you a very simple trick from the command line that can show to you when your password will expire. I used this command on different Windows versions, from Windows XP and Server 2003 up to Windows 10 and Server 2012 R2.
The NET command
The Windows has a lot of command line tools and the command NET is one of very old command line interfaces. Actually, the NET command has a lot of subcommands and it’s very powerful when we want to obtain network related information.
We have the context NET USER where we can manipulate with user accounts either on the local machine or on the domain. We can use this command even from the batch file to work with multiple accounts in one pass.
Using it with the local accounts
Open the command prompt (Start > Run > cmd.exe) and type:
net user some_username
The some_username should be replaced with either your username or the username of any other user who needs to check his or hers account. In our example, that will be the local account Administrator.
We will type:
C:\>net user administrator
We will have response similar to this one:
User name Administrator Full Name Comment Built-in account for administering the computer/dom ain User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 28.12.10 13:51 Password expires Never Password changeable 12.01.11 13:51 Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 23.07.15 09:11 Logon hours allowed All Local Group Memberships *Administrators Global Group memberships *None The command completed successfully. C:\>
We can see a lot of information about account, like the full name, a comment, the group membership, an account status and the expiration date, and so on.
Most interesting part for us is the line beginning with Password expires. There we can see the date and the time when password will be expired. Therefore, an expired password will prevent any further login to the system with this account.
However, if you’re not interested in reading a short book on the screen, you can utilize some magic and mighty tricks. We can use the output redirection and the command find. We will type this command:
C:\>net user administrator | find "Password expires" Password expires Never C:\>
The command find will take the output from the command net user and filter it showing us just this one interesting row. Of course, you can replace the words between the quotation marks and extract any other information you need.
At the domain level
We can use same command even for the domain users. We need just to add one parameter after it. This parameter is /Domain.
Now our command for some user named User01 will be:
C:\>net user user01 /domain The request will be processed at a domain controller for domain company.com. User name user01 Full Name Test User #1 Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 27.04.16. 16:05:08 Password expires 26.07.16. 16:05:08 Password changeable 12.05.16. 16:05:08 Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 08.06.16. 12:43:21 Logon hours allowed All Local Group Memberships Global Group memberships *Domain Users *Finance The command completed successfully. C:\>
As you can see, we have same output. Now we pull data from the domain controller in the domain which the workstation belongs to.
We can also apply the same filter with the find command to extract just the password expiration date.
C:\>net user user01 /domain | find "Password expires" Password expires 26.07.16. 16:05:09 C:\>
All those commands can be executed without the administrator privileges. That means that every user can check his own account status.
You can also use this command as part of some batch file. Then you will have simple yet powerful tool for the administration, as you can find status for all your users at a glance.