Find Users with Password Never Expires (2 Options)

by Robert Allen

In this guide, I’ll show you two options on how to get a list of users with the password set to never expire. Company policies may require passwords to be change after a period of time (such as 90 days). If accounts have the “Password never expires” option enabled, they will ignore the policy and their password will never expire.

In this article:

Password Never Expires Attribute

User accounts can have the password never expire option enabled by going into ADUC, clicking the “Account tab” and check the “password never expires” box.

password never expires in aduc

To enable password never expires with PowerShell use the below command.

set-aduser -identity agnes.haywood -PasswordNeverExpires:$True

There is no attribute called password never expires instead this changes the accounts UserAccountControl attribute. In the examples below, I’ll show you how to get a list of all users that have password never expires enabled.

Option 1. Find Users with Password Never Expires using PowerShell

In this example, I’ll use get-aduser cmdlet to get all AD users with password never expires.

Step 1. Open PowerShell

Step 2. Copy and run the command below.

get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, PasswordNeverExpires, DistinguishedName, Enabled

Step 3. Review the list of accounts.

You should have a list of accounts like the screenshot below. The PasswordNeverExpires column will say True for accounts that have the option enabled.

password never expires powershell command

To check a single account, use this command. Change identity to the account name you want to check.

get-aduser -Identity robert.allen -Properties PasswordNeverExpires

Option 2. Find Users with Password Never Expires using the AD Pro Toolkit

In this example, I’ll use the AD Pro Toolkit to generate a list of users that have password never expires enabled.

  1. Click on “User Reports” and select “Password Reports”.
  2. Select the “Users with a password set to never expire” report.
  3. Click “Run” to generate the report. You can also click browse to run this on a specific OU or group.
  4. To export the report click the “Export” button.
password never expires report

Automate Password Never Expires Report

With the toolkit you can schedule this report and have it email you the results. This can help you stay in compliance by checking the account status on a regular basis (daily, weekly or monthly).

To schedule the password set to never expire report follow these steps.

  1. Click on “Scheduler”
  2. Click “Add”
  3. Enter a report name and set the credentials
  4. Select the report frequncy
  5. For the report category select “Password Status”
  6. For the report select “Users with a password set to never expire”
  7. Enter your email information and click “Finish”.
scheduler
schedule report

Disable Password Never Expires for multiple Users

If you have multiple users that have the password never expires enabled and you want to disable it follow these steps.

You can disable password never expires with the PowerShell command below.

set-aduser james.knutson -PasswordNeverExpire $false 

Another option is to use the AD Pro Toolkit. With the Toolkit you can bulk disable the password never expires option and set accounts back to normal.

  1. Create a csv with a list of user accounts using the accounts sAMAccountName (logon name).
  2. Add a userAccountControl column and set the value to 512.
  3. Open the toolkit and run the “Bulk User Modification” tool.

CSV Example.

csv

ad toolkit

Summary

In this article, I showed you two options to get a list of users with password never expires. There are times when system administrators set account passwords to never expire and this can weaken your AD security.

As I mentioned in this article, you should have a domain password policy configured that requires users to change their password on a regular basis (for example, 60 days). To keep track of accounts that have the password never expires attribute enabled you should run regular reports on all user accounts. The AD Pro toolkit makes it very easy to generate reports on all user accounts.

Related Articles

Recommended Tools

  • AD Cleanup Tool - Find stale and inactive user and computer accounts in Active Directory. Export, disable, move or delete the stale accounts to increase security.
  • AD User Creation Tool - Bulk import or update Active Directory user accounts. Add users to groups, import into OUs, set multiple attributes and more.
  • NTFS Permissions Tool - Scan and audit NTFS folder permissions. See which users and groups have access to what.
  • AD Reporting Tool - Over 200 reports on users, computers, groups, OUs and more. Customize reports or create your own reports with the report builder.

Leave a Comment