The question "How can I find out the date and time a user's Active Directory (AD) domain password expires?" isn't a simple one to answer. You must first determine

  • Whether the user's password expires. If it doesn't expire, you don't need to calculate an expiration date.
  • How long the password can be used before it expires. If the domain doesn't specify a maximum password age, you don't need to calculate an expiration date.
  • The date and time the user's password was last set. If the password hasn't been set, you can't calculate an expiration date.

Bill Stewart explains how to write code that makes these determinations in the Rem article "Determining the Expiration of AD Domain Passwords". He incorporates this code into VBScript and JScript scripts that you can use to calculate and display a user's password expiration date.

I've opened up this article for public viewing so that you can read it and download its code. I also opened up the article "Using a Logon to Determine a Distinguished Name" that Bill references.

"Determining the Expiration of AD Domain Passwords" and "Using a Logon to Determine a Distinguished Name" will only be open for public viewing through June 16, so don't delay checking out these articles. If you enjoy reading them, you can get more of this type of content by subscribing to Scripting Pro VIP.