Share via

Script to check password expiring in next 7 Days

Seema Kanwal Gurmani 341 Reputation points
2026-01-13T04:43:35.09+00:00

Dear Community,

I want to send an email notification to my AD users 7 days before their Active Directory password expires. Our AD accounts are synced with Azure AD in the Microsoft 365 portal. All users have a 30-day password expiry policy.

When a domain password expires after 30 days, the email, OneDrive, and Microsoft Teams passwords are updated automatically through the AD Sync service.

Kindly let me know if there is any script that can identify users whose passwords are expiring in the next 7 days and send them email notifications & I want to CC IT staff in those emails.

The script will be scheduled to run daily.

Microsoft Security | Active Directory Federation Services
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  2. Engindzhan Halmi (BG) 155 Reputation points
    2026-01-13T12:17:41+00:00

    Hello @Seema Kanwal Gurmani

    I hope you are doing well. The script bellow is generated with detailed instructions via OpenAI's GPT 5.1

    Initially, it downloads the required module, which uses command to check all users in Active Directory (AD) whether their password expires in the next 7 days. Display name and expiry date are outputted and the same users pushed for password change upon next Windows Sign-in.

    I suggest prior to running in production to experiment with example users, or test environment.

    Import-Module ActiveDirectory
# Define time window
$today     = Get-Date
$threshold = $today.AddDays(7)
# Get users with computed password expiry
$users = Get-ADUser -Filter * -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed
foreach ($user in $users) {
    $expiryFileTime = $user.'msDS-UserPasswordExpiryTimeComputed'
    # Skip accounts with "password never expires" (expiry = 0 or null)
    if (-not $expiryFileTime -or $expiryFileTime -eq 0) {
        continue
    }
    $expiry = [datetime]::FromFileTime($expiryFileTime)
    # Only users whose password expires within the next 7 days and not already expired
    if ($expiry -ge $today -and $expiry -le $threshold) {
        # Output info
        [PSCustomObject]@{
            DisplayName    = $user.DisplayName
            PasswordExpiry = $expiry
        }
        # Require password change at next logon
        Set-ADUser -Identity $user.DistinguishedName -ChangePasswordAtLogon $true
    }
}
# Define time window
$today     = Get-Date
$threshold = $today.AddDays(7)
# Get users with computed password expiry
$users = Get-ADUser -Filter * -Properties DisplayName, msDS-UserPasswordExpiryTimeComputed
foreach ($user in $users) {
    $expiryFileTime = $user.'msDS-UserPasswordExpiryTimeComputed'
    # Skip accounts with "password never expires" (expiry = 0 or null)
    if (-not $expiryFileTime -or $expiryFileTime -eq 0) {
        continue
    }
    $expiry = [datetime]::FromFileTime($expiryFileTime)
    # Only users whose password expires within the next 7 days and not already expired
    if ($expiry -ge $today -and $expiry -le $threshold) {
        # Output info
        [PSCustomObject]@{
            DisplayName    = $user.DisplayName
            PasswordExpiry = $expiry
        }
        # Require password change at next logon
        Set-ADUser -Identity $user.DistinguishedName -ChangePasswordAtLogon $true
    }
}

    Do let me know whether this answer is sufficient to the question, or if it needs any changes.

    Best Regards,

    Engin

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.