This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 99%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hi Guys
How do I check if the local user has "password expires" true or false?
Thank you very much in advance
$userName = "your_username"
$user = Get-LocalUser -Name $userName
if ($user.PasswordNeverExpires) {
Write-Host "$userName has 'Password never expires' set to true."
} else {
Write-Host "$userName has 'Password never expires' set to false."
}
Replace "your_username" with the actual username you want to check. The PasswordNeverExpires property of the Get-LocalUser cmdlet will be True if the password never expires, and False otherwise.
@Sergio Siqueira
Did not work. Returns false even if password never expires is true
Looks like you have to use WMI.
Get-CimInstance -ClassName Win32_UserAccount | Format-Table -Property Name, PasswordExpires
@MotoX80 This command brings me the password expire, but it gives me another problem, because I need my script to bring me other information that this command does not bring
See my script
Get-LocalUser | Select @{Name='LOGIN';Expression = {$_.name}},@{Name='LABEL';Expression = {$_.description}}, @{Name='Password Never Expired';Expression = {if (($_.PasswordExpires -eq $false)) {'-1'} Else {'2'}}},@{Name='LAST LOGON';Expression = {if(($_.LastLogon -eq $NULL)) {'Never logged in'} Else {($_.LastLogon).ToString("yyyyMMdd")}}},@{Name='PRIVILEGES';expression={[string]::join(",",((Get-LocalGroup | Where-Object { $user.SID -in ($_ | Get-LocalGroupMember | Select-Object -ExpandProperty "SID") } | Select-Object -ExpandProperty "Name")))}},@{Name="ACCOUNT STATUS";Expression = {if (($_.Enabled -eq 'True') ) {'1'} Else {'2'}}},@{Name='Password Last Set';Expression = {if(($_.PasswordLastSet -eq $NULL)) {'Never Changed'} Else {($_.PasswordLastSet).ToString("yyyyMMdd")}}}
If you are looking for true/false, that's what the WMI call returns. As Rich pointed out, Get-LocalUser returns a date. If it's not set, it returns $null,
Get-CimInstance -ClassName Win32_UserAccount | Format-Table -Property Name, PasswordExpires
get-localuser | Format-Table Name, PasswordExpires
get-localuser | foreach {
if ($_.passwordexpires -ne $null) {
[pscustomobject] @{
Name = $_.name
Expires = $_.passwordexpires
}
} else {
[pscustomobject] @{
Name = $_.name
Expires = "Does not expire."
}
}
}
The problem is that if "User must change password at nest logon" is marked, it will also return without a date, that is, it would be a "false positive", would not be able to trust this result for "password expires" =(
I can't change how Windows works.
Use the WMI call instead of Get-LocalUser.
Get-CimInstance -ClassName Win32_UserAccount -Filter 'Name like "Test%"' | Format-Table -Property Name, PasswordExpires, PasswordRequired, PasswordChangeable, Description
get-localuser test* | Format-Table Name, PasswordExpires, PasswordRequired, UserMayChangePassword, Description
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
@Shashank Kumar Srivastava -- you almost had it right. There's no "PasswordNeveExpires" property -- what you meant (I think) was "PasswordExpires" (which may contain the expiration date). If there's no expiration date then there's no expiration of the password.
$userName = "your_username"
$user = Get-LocalUser -Name $userName
if ($user.PasswordExpires) {
Write-Host "$userName has 'Password never expires' set to true."
} else {
Write-Host "$userName has 'Password never expires' set to false."
}
@Rick Erickson I had already tried with "PasswordExpires", and it didn't work either =(
If you're looking for a specific user property that identifies when a LOCAL account must change its password at the next login, you won't find one (https://learn.microsoft.com/en-us/windows/win32/api/iads/ne-iads-ads_user_flag_enum). WMI doesn't have one, either. Even if you use ADSI (e.g. $user = [ADSI]"WinNT://$computer/$localusername,user") and convert the value of that users' UserFlags property to a bit string and compare it to the enum in the 1st link ([convert]::ToString($user.UserFlags.Value,2)) you won't find such a thing (feel free to use $user | gm * -f to investigate). However, I think this will get you what you want:
$userName = "XXXX"
$user = Get-LocalUser -Name $userName
if ($user.PasswordExpires -AND $user.PasswordLastSet) {
Write-Host "$userName has 'Password expires' set to true, and 'user must change p/w at next logon.' set"
}
elseif ($user.PasswordExpires) {
Write=Host "$userName has 'Password expires' set to true"
}
else {
Write-Host "$userName has 'Password never expires' set to false."
}
Get-LocalComputer, CIM, and WMI don't seem to expose the necessary properties. Using ADSI does.
I've use the Computer Management snap-in to toggle the "User must change password . . ." and the change is seen by the code. It's also possible to change the property in the code (and commit the change) and setting the value to 1 selects the checkbox in the GUI. Setting it to 0 unchecks the box in the GUI.
$LocalComputer = "computername"
$user = "XXXX"
$user = [ADSI]"WinNT://$LocalComputer/$user,user"
if ($user.PasswordExpired -eq 1){
write-host "$user must change password at next logon"
}
$user.passwordexpired = 1 # checks the box in the GUI
$user.commitchanges()
$user.passwordexpired = 0 # unchecks the box in the GUI
PS C:\Projects\Exercism> $user.commitchanges()
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 86%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
This only displays if the password is actually expired it does NOT display if the password can expire which is what that checkbox indicates. Get-CIMInstance filtering by local (if you don't do this it will attempt to pull all domain users...), so basically what @MotoX80 suggested but with a local account filter.
Get-CimInstance -ClassName Win32_UserAccount -Filter "Localaccount = '$true'" | Format-Table -Property Name, PasswordExpires
That's a fair criticism.
Using ADSI, you can do it this way:
$LocalComputer = "computername"
$r = {
User = ""
PasswordCanExpire = ""
}
Get-LocalUser |
ForEach-Object{
$r.User = $_.Name
$r.PasswordCanExpire = $False
$u = [ADSI]"WinNT://LocalComputer/$($_.Name),user"
if (-NOT ($u.Userflags[0] -xor 0x10000) ){ # DONT_EXPIRE_PASSWORD, 65536
$r.PasswordCanExpire = $True
}
[PSCustomObject]$r
}