Mar 16 12:29:56 authpriv.err sshd30694: error: PAM: User account has expired for tuser from 10.109.4.20 Mar 16 12:29:56 authpriv.info sshd30694: Failed keyboard-interactive/pam for tuser from port 60942 ssh2.
- Fixes an issue in which you cannot change an expired password if you use a user account to establish a remote desktop session to a Windows Server 2008 R2-based RD Session Host server from a client computer. This issue occurs in a VDI environment.
- Here, navigate to Computer Configuration- Windows Settings - Security Settings - Account Policies - Password Policy. Now, double-click on “Maximum password age” and increase the number of days according to your preference. After that, click on the “OK” button and you are done. Fix Your Password has Expired and Must be Changed.
Originally published July, 2017 and updated August, 2019
How to Get a List of Expired User Accounts with PowerShell
One of the most important tasks that an Active Directory administrator performs is ensuring that expired user accounts are reported in a timely manner and that action is taken to immediately remove or disable them. Note that user accounts for which you set an expiration date are only created temporarily. For example, you might have created several user accounts to allow vendors to log on to the Active Directory. Similarly, you might have created user accounts for contractors. If you wish to see what accounts have expired, execute the following PowerShell command:
Note the use of the Search-ADAccount PowerShell cmdlet again but with a different switch this time. The switch that we use is AccountExpired. As the name suggests, the AccountExpired switch helps you to collect user accounts that have expired.
How to Get Account Expiration Date Using PowerShell
To get AD account expiration date for all enabled users in your Active Directory you can use Get-ADUser cmdlet with an -AccountExpirationDate property. Run the following script in PowerShell ISE on your Windows Server:
You will get and expiration date and time for a complete list of your AD users.
If you need a summary for a specific group you need to modify the script by adding -SearchBase parameter. You can pipe data to .csv file (e.g. to import it to Excel or open in text editor) by adding |export-csv <Path> –NoTypeInformation
Assuming we need to export list of account expiry dates for “IT” organizational unit of enterprise.com domain, expression we will execute on DC will be following:
Microsoft Account Expiration
Summing up, with minimal Microsoft Powershell scripting skills Search-ADAccount, combined with Get-ADUser can help you to solve many ad-hoc AD cleanup and analysis tasks.
User Account Has Expired Suse
Need more PowerShell scripts for Active Directory? Find all the top wanted PowerShell commands for Active Directory in one blog post.