How to Get the Password Expiration Date for a User in Batch Script

Tracking when a user's password is set to expire is one of the most proactive tasks an IT administrator can perform. By identifying users whose passwords will expire within the next 7 days, you can send automated reminders, preventing "Password Lockout" tickets and maintaining high productivity across your organization. While this date is stored in the domain database, you can extract it in seconds using a Batch script.

This guide explains how to use the net user command to pull the password expiration timestamp.

Why Audit Password Expiration?

Proactive Support: Identifying users who are about to be locked out so you can warn them to change their credentials before their next login attempt.
Help Desk Diagnosis: Explaining to a user why they can no longer log in by showing them that their password expired precisely at "Midnight on Tuesday."
Policy Verification: Ensuring that your organization's 90-day (or 180-day) rotation policy is actually being applied correctly to both local and domain accounts.

Local vs. Domain

The net user command targets the Local computer by default. In a professional network environment, you must add the /domain flag to query the centralized Domain Controllers for the network-wide expiration date.

Method 1: Using Net User (Quick Lookup)

The basic net user command returns a table where you can filter for the password-related fields.

@echo off
setlocal

set /p "USN=Enter Username to check: "

if "%USN%"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

echo [PROCESS] Retrieving password lifecycle data for "%USN%"...
echo.

net user "%USN%" 2>nul | findstr /i /c:"Password expires" /c:"Password last set"

if %errorlevel% neq 0 (
    echo [ERROR] User "%USN%" was not found in the local database.
    echo [TIP] For domain accounts, use: net user "%USN%" /domain
)
pause

Method 2: Extracting the Expiration Date into a Variable

To use this date in an automated email or a larger "Security Dashboard" script, you must use a FOR loop to isolate the timestamp string.

@echo off
setlocal

set /p "TARGET=Enter username: "

if "%TARGET%"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

:: Verify user exists
net user "%TARGET%" >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] User "%TARGET%" not found.
    pause
    exit /b 1
)

echo [PROCESS] Auditing password expiration for: %TARGET%

:: The "Password expires" line format is:
::   Password expires             1/15/2025 3:42:10 PM
:: Capture the value after the field label
set "P_EXP="
for /f "tokens=1,* delims=s" %%a in ('net user "%TARGET%" 2^>nul ^| findstr /c:"Password expires"') do (
    for /f "tokens=*" %%t in ("%%b") do set "P_EXP=%%t"
)

if defined P_EXP (
    echo.
    echo [RESULT] Password expires: %P_EXP%
) else (
    echo [ERROR] Could not parse the expiration date.
)

echo.
pause

Creating a Password Expiration Warning System

This professional script checks a specific user and provides comprehensive password lifecycle information with alerts.

@echo off
setlocal EnableDelayedExpansion

echo ============================================================
echo   User Password Lifecycle Diagnostic
echo ============================================================

set /p "USN=Username to check: "

if "!USN!"=="" (
    echo [ERROR] No username entered.
    pause
    exit /b 1
)

:: 1. Verify user exists
net user "!USN!" >nul 2>&1
if !errorlevel! neq 0 (
    echo [ERROR] User "!USN!" not found on this machine.
    echo [TIP] For domain accounts, use: net user "!USN!" /domain
    pause
    exit /b 1
)

:: 2. Display key password lifecycle fields
echo.
echo [INFO] Password lifecycle for "!USN!":
echo   -----------------------------------------
net user "!USN!" 2>nul | findstr /i /c:"Password last set" /c:"Password expires" /c:"Password changeable" /c:"Account active"
echo   -----------------------------------------

:: 3. Check for 'Never' expiration
net user "!USN!" 2>nul | findstr /i /c:"Password expires" | findstr /i /c:"Never" >nul
if !errorlevel! equ 0 (
    echo.
    echo [ALERT] Password is set to NEVER expire!
    echo [NOTE] This is acceptable for service accounts but is a
    echo        security risk for human user accounts.
    echo [ACTION] To set expiration policy, check:
    echo         net accounts (for local policy^)
    echo         Group Policy (for domain policy^)
)

:: 4. Check for 'Never' in password last set (never been changed)
net user "!USN!" 2>nul | findstr /i /c:"Password last set" | findstr /i /c:"Never" >nul
if !errorlevel! equ 0 (
    echo.
    echo [ALERT] Password has NEVER been changed!
    echo [ACTION] Force a change: net user "!USN!" /logonpasswordchg:yes
)

echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Administrative Rights

While standard users can often see their own password expiration date, you must run your Batch script (and CMD) as an Administrator to query the metadata of other users or to pull reliable data from the domain.

Regional Date Formats

The format of the date (e.g., MM/DD/YYYY vs DD/MM/YYYY) depends entirely on your system's "Regional Settings."

SEO and UX Tip

Advise your users that if they are looking for "Days Remaining," Batch cannot natively subtract dates. It is highly recommended to use the PowerShell bridge for arithmetic: powershell -NoProfile -Command "(Get-ADUser USERNAME -Properties 'msDS-UserPasswordExpiryTimeComputed' | Select-Object @{N='DaysLeft';E={[math]::Round(([datetime]::FromFileTime($_.'msDS-UserPasswordExpiryTimeComputed') - (Get-Date)).TotalDays)}}).DaysLeft".

Best Practices for Password Management

Check for "Never": Periodically audit your directory. Human users should almost never have "Password Never Expires" set, while service accounts almost always should.
Combine with 'Password Last Set': By looking at when the password was created (Password last set) and when it expires, you can verify if your "90-day policy" is actually calculated correctly.
Export for Reminders: Use your script to create a text file of every user expiring in the next week and hand it to your help desk team for proactive outreach.

Domain Controllers

Note that password expiration is calculated by the Domain Controller based on the Default Domain Policy. If you change the policy today, the "Password expires" date for your users will update the next time they authenticate.

Conclusion

Getting the password expiration date via Batch script is a critical skill for any security-conscious IT professional maintaining a professional Windows network. By programmatically extracting these timestamps using the net user command, you can move from reactive troubleshooting to proactive user support, ensuring that your organization's authentication cycle remains healthy and secure. This professional approach to system identification reduces support tickets, simplifies compliance monitoring, and provides a clear, automated mechanism for managing the most common security hurdle in the modern digital workspace.

Why Audit Password Expiration?​

Method 1: Using Net User (Quick Lookup)​

Method 2: Extracting the Expiration Date into a Variable​

Creating a Password Expiration Warning System​

Common Pitfalls and How to Avoid Them​

Administrative Rights​

Regional Date Formats​

Best Practices for Password Management​

Conclusion​

Table of Contents