In this guide, I’ll show you two options on how to get a list of users with the password set to never expire. Company policies may require passwords to be change after a period of time (such as 90 days). If accounts have the “Password never expires” option enabled, they will ignore the policy and their password will never expire.
In this article:
- Password Never Expires Attribute
- Option 1. Find Users with Password Never Expires using PowerShell
- Option 2. Find Users with Password Never Expires using the AD Pro Toolkit
- Disable Password Never Expires for multiple users
Password Never Expires Attribute
User accounts can have the password never expire option enabled by going into ADUC, clicking the “Account tab” and check the “password never expires” box.
To enable password never expires with PowerShell use the below command.
set-aduser -identity agnes.haywood -PasswordNeverExpires:$True
There is no attribute called password never expires instead this changes the accounts UserAccountControl attribute. In the examples below, I’ll show you how to get a list of all users that have password never expires enabled.
Option 1. Find Users with Password Never Expires using PowerShell
In this example, I’ll use get-aduser cmdlet to get all AD users with password never expires.
Step 1. Open PowerShell
Step 2. Copy and run the command below.
get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, PasswordNeverExpires, DistinguishedName, Enabled
Step 3. Review the list of accounts.
You should have a list of accounts like the screenshot below. The PasswordNeverExpires column will say True for accounts that have the option enabled.
To check a single account, use this command. Change identity to the account name you want to check.
get-aduser -Identity robert.allen -Properties PasswordNeverExpires
Option 2. Find Users with Password Never Expires using the AD Pro Toolkit
In this example, I’ll use the AD Pro Toolkit to generate a list of users that have password never expires enabled.
- Click on “User Reports” and select “Password Reports”.
- Select the “Users with a password set to never expire” report.
- Click “Run” to generate the report. You can also click browse to run this on a specific OU or group.
- To export the report click the “Export” button.
Automate Password Never Expires Report
With the toolkit you can schedule this report and have it email you the results. This can help you stay in compliance by checking the account status on a regular basis (daily, weekly or monthly).
To schedule the password set to never expire report follow these steps.
- Click on “Scheduler”
- Click “Add”
- Enter a report name and set the credentials
- Select the report frequncy
- For the report category select “Password Status”
- For the report select “Users with a password set to never expire”
- Enter your email information and click “Finish”.
Disable Password Never Expires for multiple Users
If you have multiple users that have the password never expires enabled and you want to disable it follow these steps.
You can disable password never expires with the PowerShell command below.
set-aduser james.knutson -PasswordNeverExpire $false
Another option is to use the AD Pro Toolkit. With the Toolkit you can bulk disable the password never expires option and set accounts back to normal.
- Create a csv with a list of user accounts using the accounts sAMAccountName (logon name).
- Add a userAccountControl column and set the value to 512.
- Open the toolkit and run the “Bulk User Modification” tool.
CSV Example.
Summary
In this article, I showed you two options to get a list of users with password never expires. There are times when system administrators set account passwords to never expire and this can weaken your AD security.
As I mentioned in this article, you should have a domain password policy configured that requires users to change their password on a regular basis (for example, 60 days). To keep track of accounts that have the password never expires attribute enabled you should run regular reports on all user accounts. The AD Pro toolkit makes it very easy to generate reports on all user accounts.