When managing a Windows server that isn't part of a domain, checking password expiration requires different approaches than domain-joined systems. Local account policies still apply, but you'll need to use native Windows tools to retrieve this information.
The simplest way to check password expiration is through the command prompt:
net user username | find "Password expires"
Example output:
Password expires Never
This shows whether the password is set to expire and when. "Never" indicates no expiration policy is set.
For more detailed information, PowerShell provides better options:
$user = Get-LocalUser -Name "username"
$user | Select-Object Name,PasswordLastSet,PasswordExpires
This returns structured data including:
- PasswordLastSet: DateTime of last password change
- PasswordExpires: DateTime of expiration (or null if never)
To understand when passwords might expire, check the local security policy:
secedit /export /areas SECURITYPOLICY /cfg temp.inf
find "MaximumPasswordAge" temp.inf
del temp.inf
A value of 0 means passwords never expire. Otherwise, it's the maximum age in days.
Here's a PowerShell script to check all local users' password status:
Get-LocalUser | ForEach-Object {
$expiryDate = if ($_.PasswordExpires) {
$_.PasswordExpires.ToString("yyyy-MM-dd")
} else {
"Never"
}
[PSCustomObject]@{
Username = $_.Name
LastSet = $_.PasswordLastSet.ToString("yyyy-MM-dd")
Expires = $expiryDate
Enabled = $_.Enabled
}
} | Format-Table -AutoSize
Remember these key points when working with local accounts:
- By default, local user passwords don't expire unless configured
- The "Administrator" account often has different policies
- Changes to password policy only affect new passwords
- Results may vary between Windows Server versions
When working with standalone Windows servers or workstations not joined to a domain, checking password expiration requires different approaches than domain-joined systems. Local Security Policy controls these settings, but accessing the information programmatically can be challenging.
The simplest way to check password expiration for a local account is using the net user command:
net user username | find "Password expires"
Example output:
Password expires Never
For accounts with expiration policies set:
Password expires 03/15/2024 12:00:00 AM
For more programmatic access, PowerShell provides better options:
$user = Get-LocalUser -Name "username"
$maxPwdAge = (Get-LocalSecurityPolicy).MaximumPasswordAge
$pwdLastSet = $user.PasswordLastSet
if ($maxPwdAge -eq 0) {
"Password never expires"
} else {
$expiryDate = $pwdLastSet + $maxPwdAge
"Password expires on: $expiryDate"
}
To programmatically check the current password policy settings:
secedit /export /cfg temp.ini /areas SECURITYPOLICY
findstr /i "MaximumPasswordAge" temp.ini
del temp.ini
This will return values like:
MaximumPasswordAge = 90
For developers needing to integrate this into applications:
using System;
using System.DirectoryServices;
public class LocalPasswordChecker {
public static DateTime? GetPasswordExpiration(string username) {
try {
using (DirectoryEntry user = new DirectoryEntry($"WinNT://./{username},user")) {
var maxPwdAge = (int)user.Properties["MaxPasswordAge"].Value;
if (maxPwdAge == 0) return null; // Never expires
var pwdLastSet = (DateTime)user.Properties["PasswordAge"].Value;
return pwdLastSet.AddSeconds(maxPwdAge);
}
}
catch {
return null;
}
}
}
1. Administrator privileges are typically required to query this information
2. Results may vary between Windows versions
3. For systems with "Password never expires" set, the date won't be available
4. The maximum password age is defined in seconds in the security policy