PowershellHow-ToBeginner · 2 min read

PowerShell Script to Get Expired Passwords Easily

Use the PowerShell command Search-ADAccount -PasswordExpired to list accounts with expired passwords, for example: Search-ADAccount -PasswordExpired | Select-Object Name, PasswordExpired.

📋

Examples

InputSearch-ADAccount -PasswordExpired | Select-Object Name, PasswordExpired

OutputName PasswordExpired ---- --------------- JohnDoe True JaneSmith True

InputSearch-ADAccount -PasswordExpired | Select-Object Name, PasswordExpired

OutputName PasswordExpired ---- --------------- (No output if no expired passwords)

InputSearch-ADAccount -PasswordExpired | Select-Object Name, PasswordExpired

OutputName PasswordExpired ---- --------------- AdminUser True GuestUser True ServiceAcct True

🧠

How to Think About It

To find expired passwords, you ask Active Directory for user accounts where the password is marked as expired. PowerShell has a built-in command that filters accounts by password expiration status, so you just need to run that and show the relevant details.

📐

Algorithm

Connect to Active Directory.

Search for user accounts with expired passwords using a filter.

Select and display the account names and their password expiration status.

💻

Code

powershell

Import-Module ActiveDirectory
$expiredUsers = Search-ADAccount -PasswordExpired | Select-Object Name, PasswordExpired
$expiredUsers | ForEach-Object { Write-Output "$($_.Name) - Password Expired: $($_.PasswordExpired)" }

Output

JohnDoe - Password Expired: True JaneSmith - Password Expired: True

🔍

Dry Run

Let's trace the script finding expired passwords for two users.

Import Active Directory module

Loads commands to interact with AD.

Search for expired passwords

Finds users JohnDoe and JaneSmith with expired passwords.

Output results

Prints 'JohnDoe - Password Expired: True' and 'JaneSmith - Password Expired: True'.

Name	PasswordExpired
JohnDoe	True
JaneSmith	True

💡

Why This Works

Step 1: Import Active Directory Module

The Import-Module ActiveDirectory command loads the tools needed to query Active Directory.

Step 2: Search for Expired Passwords

The Search-ADAccount -PasswordExpired command finds all user accounts with expired passwords.

Step 3: Display Results

Selecting Name and PasswordExpired shows clear information, and printing it makes it easy to read.

🔄

Alternative Approaches

Using Get-ADUser with filter on PasswordLastSet

powershell

Import-Module ActiveDirectory
$maxPwdAge = (Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
$timeLimit = (Get-Date).AddDays(-$maxPwdAge.TotalDays)
$expiredUsers = Get-ADUser -Filter {PasswordLastSet -lt $timeLimit} -Properties PasswordLastSet
$expiredUsers | ForEach-Object { Write-Output "$($_.Name) - Password Last Set: $($_.PasswordLastSet)" }

This method calculates expiration by comparing last set date but is more complex and less direct than Search-ADAccount.

Using Quest AD cmdlets (legacy)

powershell

Get-QADUser -PasswordExpired | Select-Object Name, PasswordExpired

Requires Quest AD cmdlets installed; less common and older approach.

⚡

Complexity: O(n) time, O(n) space

Time Complexity

The script queries all user accounts to check password status, so time grows linearly with number of users.

Space Complexity

Stores results for all expired users, so space grows with number of expired accounts.

Which Approach is Fastest?

Using Search-ADAccount is fastest and simplest; filtering by PasswordLastSet requires extra calculations and is slower.

Approach	Time	Space	Best For
Search-ADAccount -PasswordExpired	O(n)	O(n)	Quick direct expired password check
Get-ADUser with PasswordLastSet filter	O(n)	O(n)	Custom expiration logic or unsupported environments
Quest AD cmdlets	O(n)	O(n)	Legacy systems with Quest tools

💡

Run PowerShell as administrator and ensure Active Directory module is installed before running the script.

⚠️

Forgetting to import the Active Directory module or running the script on a machine not joined to the domain.