Setting user accounts password to never expire is not recommended and can be a security risk. There are times when this can’t be avoided such as using a service account. Many vendors require a service to run under a service account that has a non expiring password.

For regular user accounts, it’s best practice to have a password policy in place that requires users to change their password after a period of time (60 to 90 days is common). Administrators of Active Directory should do regular maintenance on AD objects.

The maintenance should include finding disabled user accounts, unused computer or user accounts and passwords that are set to never expire. These identified accounts should be secured or removed, depending on your organization’s policy. This post provides three different methods for finding user accounts that have the password set to never expire.

Example 1: Find common queries

1. Open Active Directory Users and Computers.

2. Click the find button from the toolbar.

3. In the Find Common Queries window select Common Queries and Entire Directory. Check the Non Expiring Passwords box and click the Find Now button.

My search returned three accounts that have their password set to never expire.

RECOMMENDED: SOLARWIND ADMIN BUNDLE (FREE TOOL)

This is a bundle of 3 FREE Tools for Active Directory.

  • Bulk import users tool
  • Inactive Computer Account Removal Tool
  • Inactive User Account Removal Tool

Simplify administration and keep Active Directory secure with this trio of FREE tools.

Download Your FREE Copy of SolarWinds Admin Bundle

Example 2: LDAP Query

This next example uses the saved queries in Active Directory Users and computers. These queries are built on the LDAP query syntax.

1. Open Active Directory Users and Computers.

2. Right click on Saved Queries, Select New then click Query.

3. Enter a name for the Query and click Define Query. I named my query Users Password Never Expire.

4. Click Non expiring passwords, then click the OK button.

5. Back at the New Query window you can see that the query string has been filled in. At this point the query is ready to click OK.

You should now see the query under Saved Queries. Simply click on the query and it will display all the disabled accounts.

This query will be saved in Active Directory Users and Computers so next time you open it your query will still be there.

Example 3: Using Powershell to find accounts with password set to never expire

1. Open PowerShell.

2. Type the command below and hit enter.

Search-ADAccount -PasswordNeverExpires | FT Name,ObjectCkass -A

Related: 2 Simple Ways to Find All Locked User Accounts in Active Directory

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

Leave a Comment