<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Review Password Expiration Information for an Active Directory User Using PowerShell for Okta Password Troubleshooting
Mar 26, 2026
Administration
Okta Classic Engine
Directories
Okta Identity Engine
Overview

Okta retrieves password expiration data only when Just-In-Time (JIT) Provisioning is enabled by reading the msDS-UserPasswordExpiryTimeComputed attribute provided by the Domain Controller that handled the JIT event, which can be found in the AD Agent logs.

 

Administrators can use PowerShell to retrieve this attribute and convert it into a readable format to troubleshoot password policy behavior, unexpected password change prompts, or Password Expiration Email Automation.

Applies To
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Active Directory (AD)
  • AD-Sourced Users
  • Delegated Authentication
  • Just-In-Time (JIT)
Solution

This 2-minute video describes how to retrieve password expiration data using PowerShell.

 

How to verify password expiration date using PowerShell?

To retrieve a user's password expiration date using PowerShell, run the command below:

Get-ADUser -server <DC name> -Credential '<oktaservice>' <samaccountname> -Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" | Select samaccountname,Displayname,@{Name="PasswordExpirationDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

  • Replace <samaccountname> with the user identifier.
  • Replace <DC name> with the name of the domain controller that processed the JIT authentication.
  • Replace <oktaservice> with the samaccountname of the AD Agent service account.
  • Enter the password of this service account when prompted.

This method uses the Okta AD Agent service account to retrieve user data and verifies that the account has the necessary permissions to access it. If the command returns no result for the attribute, the password never expires.

 

How to verify password expiration using Command Prompt?

The net user <samaccountname> /domain command queries only the Default Domain Policy. It does not recognize fine-grained password policies or individual user overrides. For organizations using FGPP, the Password expires date may be incorrect. Use the PowerShell method above to ensure technical accuracy.

Follow these steps to verify the password expiration date of a user using Command Prompt:

  1. Open an administrative Command Prompt.
  2. Run the following command:

net user <samaccountname> /domain

  1. Replace <samaccountname> with the specific user.
  2. Locate the Password expires value in the output.

Administrator: Command Prompt

 

Related References

Recommended content

Still looking for help?
Loading
Review Password Expiration Information for an Active Directory User Using PowerShell for Okta Password Troubleshooting