Related features:

Related Powershell Guides:

Password expiration PowerShell script to notify Active Directory domain users

Many organizations enforce password expiration policies to reduce the risk of compromised credentials and unauthorized access. When users fail to change their passwords before expiration, they are locked out of their accounts.

To avoid account lockouts and help desk escalations, administrators often use an Active Directory (AD) password expiration notification PowerShell script to notify users before their passwords expire. A widely used script like password-expiration-notifications.ps1 script uses the Get-ADUser parameter to retrieve password expiration details from AD and SMTP to automatically email users reminders before expiration deadlines.

This guide explains how to:

  • Check AD password expiration dates using PowerShell.
  • Send password expiry notification emails.
  • Automate notification scripts using Task Scheduler.
  • Compare PowerShell-based notifications with ADSelfService Plus.

ManageEngine ADSelfService Plus also provides a built-in alternative for password expiration notifications through email, SMS, and push notifications without requiring manual scripting or script maintenance.

Step 1. Checking when AD passwords expire using PowerShell

Before sending password expiry notifications, administrators must first retrieve password expiration information from AD.

To retrieve all the AD user account properties related to password expiration, use this PowerShell script:

Get-ADUser -Filter * -Properties PasswordLastSet
  • Get-ADUser:
    • Retrieves one or more AD user objects based on a specified filter or identity.
  • -Filter *:
    • Required parameter that defines the search scope; the wildcard * returns all user accounts in the directory.
  • -Properties PasswordLastSet:
    • Specifies additional attributes to retrieve beyond the default set; PasswordLastSet returns the date and time the user's password was last changed.

To scope the query to a specific OU, you can use the SearchBase parameter:

Get-ADUser -Filter * ` -SearchBase "OU=Sales,DC=company,DC=com" ` -Properties PasswordLastSet
  • Get-ADUser: Retrieves one or more AD user objects based on a specified filter or identity.
  • -Filter *: Required parameter that defines the search scope; the wildcard * returns all user accounts in the directory.
  • -SearchBase: Limits the search to a specific organizational unit (OU) or container in the directory tree.
  • -Properties PasswordLastSet: Specifies additional attributes to retrieve beyond the default set; PasswordLastSet returns the date and time the user's password was last changed.

To retrieve the domain-wide password expiration policy, use the following PowerShell script:

(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge
  • Get-ADDefaultDomainPasswordPolicy: Retrieves the default password policy for the AD domain.
  • .MaxPasswordAge: Returns the maximum number of days before a password must be changed.

To find the password expiration details of enabled AD users, use the following PowerShell script:

Get-ADUser -Filter { Enabled -eq $True -and PasswordNeverExpires -eq $False } ` -Properties EmailAddress,msDS-UserPasswordExpiryTimeComputed
  • Get-ADUser: Retrieves AD user objects based on a specified filter.
  • -Filter {Enabled -eq $True -and PasswordNeverExpires -eq $False}: Returns only active users whose passwords are set to expire.
  • -Properties EmailAddress,msDS-UserPasswordExpiryTimeComputed: Retrieves additional attributes beyond the default set.
    • EmailAddress: The user's email address.
    • msDS-UserPasswordExpiryTimeComputed: The exact date and time the user's password will expire.

Handling fine-grained password policies in your script

Many organizations use fine-grained password policies (FGPPs) to apply different password expiration settings to specific users or groups.

Unlike the default domain password policy, FGPPs allow administrators to configure:

  • Different password expiration periods for different specific users or global security groups
  • Password complexity requirements
  • Password history requirements

For example:

  • IT admins may have shorter password expiration periods.
  • Service accounts may use different policies.
  • Executives may have stricter complexity rules.

FGPP overrides the domain-level MaxPasswordAge setting. Because of this, manually calculating password expiration dates using PasswordLastSet and MaxPasswordAge may produce inaccurate results.

The msDS-UserPasswordExpiryTimeComputed attribute automatically factors in FGPP, and is therefore the preferred approach for determining password expiration dates.

Automate password expiry calculation

Instead of manually calculating password expiration dates, use the following PowerShell script to retrieve all AD users and calculate password expiry:

Get-ADUser -Filter * `
-Properties DisplayName,EmailAddress,msDS-UserPasswordExpiryTimeComputed |
Select-Object DisplayName,
@{
Name="PasswordExpiryDate";
Expression={
[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")
}
}
  • Get-ADUser: Retrieves AD user accounts.
  • -Filter: Retrieves all users from AD.
  • -Properties: Retrieves additional AD attributes not returned by default.
  • DisplayName: Retrieves the user's display name.
  • EmailAddress: Retrieves the user's email address.
  • msDS-UserPasswordExpiryTimeComputed: Retrieves the computed password expiration timestamp.
  • Select-Object: Selects specific output properties to display.
  • Name="PasswordExpiryDate": Creates a custom column named PasswordExpiryDate.
  • Expression: Defines the calculation used for the custom column.
  • FromFileTime(): Converts the AD FileTime value into a readable date format.

This script automatically accounts for:

  • Domain password policies
  • FGPPs
  • User-specific expiration settings

Step 2. Sending password expiration email notifications in PowerShell using authenticated SMTP

Once password expiration dates are identified, administrators can configure PowerShell to send automated email reminders.

Basic SMTP script example

$smtpServer = "smtp.company.com"
$smtpPort = 587

$username = "admin@company.com"
$password = ConvertTo-SecureString "YourPassword" -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential($username, $password)

$mailMessage = New-Object System.Net.Mail.MailMessage
$mailMessage.From = "admin@company.com"
$mailMessage.To.Add("user@company.com")
$mailMessage.Subject = "Password Expiration Notice"
$mailMessage.Body = "Your password will expire soon."

$smtpClient = New-Object System.Net.Mail.SmtpClient($smtpServer, $smtpPort)
$smtpClient.EnableSsl = $true
$smtpClient.Credentials = $credential

$smtpClient.Send($mailMessage)
  • $smtpServer: Specifies the SMTP server used to send the email notification.
  • $smtpPort: Defines the SMTP communication port, typically 587 for STARTTLS-secured email submission.
  • $username: Specifies the SMTP account username used for authentication.
  • $password: Stores the SMTP account password as a secure string.
  • ConvertTo-SecureString: Converts a plaintext password into a secure encrypted format.
  • -AsPlainText: Indicates that the supplied password is in plain text format.
  • -Force: Forces PowerShell to accept the plaintext password conversion.
  • $credential: Stores the authenticated SMTP credential object.
  • PSCredential: Creates a credential object containing the username and secure password.
  • $mailMessage: Creates the email message object.
  • MailMessage: Defines the email message structure used for sending mail.
  • .From: Specifies the sender email address.
  • .To.Add(): Adds the recipient email address.
  • .Subject: Defines the subject line of the email.
  • .Body: Defines the content of the email message.
  • $smtpClient: Creates the SMTP client connection used to send email.
  • SmtpClient: Establishes the SMTP connection to the mail server.
  • EnableSsl: Enables TLS/SSL encryption for secure email transmission.
  • Credentials: Assigns the SMTP authentication credentials to the SMTP client.
  • Send(): Sends the email message through the SMTP server.

Step 3. Automate the password expiration notification script using Windows Task Scheduler

After creating the PowerShell SMTP notification script, administrators can automate it using Task Scheduler using the following steps:

  1. Save the PowerShell script to a local directory, for example: C:\Scripts\PasswordExpiryNotification.ps1
  2. Open Task Scheduler on the Windows Server.
  3. Click Create Task.
  4. In the General tab:
    • Enter a task name.
    • Select Run whether user is logged on or not.
    • Enable Run with highest privileges.
  5. In the Triggers tab:
    • Click New.
    • Configure the notification schedule (daily, weekly, etc.).
    • Choose the preferred execution time.
  6. In the Actions tab:
    • Click New.
    • Set Action to Start a program.
    • In the Program/script field, enter powershell.exe.
  7. In the Add arguments field, enter:
    -ExecutionPolicy Bypass -File "C:\Scripts\PasswordExpiryNotification.ps1"
  8. Configure any required conditions or settings based on organizational requirements.
  9. Click OK and provide administrative credentials if prompted.

The script will now run automatically based on the configured schedule and send password expiration notifications to users.

Sample Active Directory password expiration notification PowerShell script

This PowerShell script fetches users with expiring passwords, automatically calculates their expiration date, and sends them email notifications:

$smtpServer = "smtp.company.com"
$smtpPort = 587

$from = "admin@company.com"
$username = "admin@company.com"
$password = "<ourPassword>"

$securePassword = ConvertTo-SecureString $password -AsPlainText -Force
$credential = New-Object System.Management.Automation.PSCredential ($username, $securePassword)

$users = Get-ADUser -Filter {
Enabled -eq $True -and
PasswordNeverExpires -eq $False
} `
-Properties DisplayName,EmailAddress,msDS-UserPasswordExpiryTimeComputed

foreach ($user in $users) {

$expiryDate = [datetime]::FromFileTime(
$user."msDS-UserPasswordExpiryTimeComputed"
)

$daysRemaining = ($expiryDate - (Get-Date)).Days

if ($daysRemaining -le 7 -and $daysRemaining -ge 0) {

$subject = "Password Expiration Notice"

$body = @"
Hello $($user.DisplayName),

Your Active Directory password will expire in $daysRemaining day(s).

Please change your password before it expires.

Regards,
IT Administration
"@

$mailMessage = New-Object System.Net.Mail.MailMessage
$mailMessage.From = $from
$mailMessage.To.Add($user.EmailAddress)
$mailMessage.Subject = $subject
$mailMessage.Body = $body

$smtpClient = New-Object System.Net.Mail.SmtpClient($smtpServer, $smtpPort)
$smtpClient.EnableSsl = $true
$smtpClient.Credentials = $credential

$smtpClient.Send($mailMessage)
}
}

The limitations of PowerShell-based password expiry notifications

Many admins rely on PowerShell scripts to automate password expiry notifications. While effective, these scripts often require ongoing maintenance and troubleshooting. They may stop working after PowerShell updates, SMTP configuration changes, or security policy modifications.

PowerShell-based notifications also offer limited visibility into whether emails were successfully delivered or acted upon. Missed password expiry notifications can lead to:

  • User lockouts
  • Increased help desk tickets
  • Remote access disruptions
  • Productivity loss
  • Compliance gaps

In larger environments, managing notification schedules, SMTP authentication, and exception handling across multiple scripts can become time-consuming and difficult to scale.

A smarter alternative: ADSelfService Plus

Instead of maintaining custom PowerShell scripts, organizations can use ADSelfService Plus to configure password expiration notifications through a centralized interface. To enable password expiry notifications using ADSelfService Plus:

  • Open the ADSelfService Plus admin portal.
  • Go to Configuration > Password Expiration Notification. In the Password/Account Expiration Notification section that opens, click Add New Notification.
  • Use the Select Domain option to specify the domain whose users should receive the notifications. Provide a Scheduler Name.
  • Set the Notification Type to Password Expiration Notification. Use the Notify via option to specify the notification medium (mail, SMS, or push notification).
  • Select Notification Frequency (Daily, Weekly, or On Specific Days) and use the Schedule Time option to specify the date and time of the notification delivery. For example, if you want to notify users seven days before the password expiration, select the On Specific Days option, click Schedule Time, and specify 7 in the field provided.
  • Edit the Subject and the Message of the notification, if required.
  • Click Advanced, and in the pop-up window that opens, use the options for excluding disabled users or smart card users from receiving expiration notifications and sending notification delivery status messages to users' managers or anyone with an admin account if necessary.
  • Click Save. ADSelfService Plus password expiration notification configuration page for Active Directory password expiry email alerts
    Figure 1. Configuring password expiration email notifications in ManageEngine ADSelfService Plus.

Why choose ADSelfService Plus for password expiry notifications?

  • Quick configuration: Configure password expiry notifications in just a few clicks without creating or maintaining scripts.
  • Multi-channel notifications: Send password expiration alerts through:
    • Email
    • SMS
    • Push notifications
  • Centralized management: Manage notification schedules, delivery settings, and exclusions from a single interface.
  • Notify managers and admins: Automatically send notification delivery status updates to managers or administrators when required.
  • Customizable notifications: Create HTML-based notifications with customized messaging and branding.
  • Reduced administrative overhead: Eliminate script troubleshooting, scheduling complexity, and manual maintenance.

Highlights of ADSelfService Plus

Skip the PowerShell scripts. Deliver streamlined, automated password expiration notifications with ADSelfService Plus.

Try it now for free
 
  • Password expiration PowerShell script to notify Active Directory domain users
  • Step 1. Checking when AD passwords expire using PowerShell
  • Step 2. Sending password expiration email notifications in PowerShell using authenticated SMTP
  • Step 3. Automate the password expiration notification script using Windows Task Scheduler
  • Sample Active Directory password expiration notification PowerShell script
  • The limitations of PowerShell-based password expiry notifications
  • A smarter alternative: ADSelfService Plus
  • Highlights of ADSelfService Plus

ADSelfService Plus trusted by

A single pane of glass for complete self service password management
Password Self-ServiceDirectory Self-ServiceOne IdentitySecurityRelated Products

A single pane of glass for complete self service password management

Free Trial Get Quote
Email Download Link