Do you need to get a list of user accounts with their password set to never expire?
This can be done with PowerShell and the Active Directory users console. I’ll show you the exact steps for listing these accounts.
Setting user accounts password to never expire is not recommended and can be a security risk. For regular user accounts, it’s best practice to have a password policy in place that requires users to change their password after a period of time (60 to 90 days is common).
There are times when this can’t be avoided such as using a service account. Many vendors require an account to run as a service account that has a non-expiring password. Administrators of Active Directory should do regular maintenance on Active Directory to find these potentially risky accounts.
The maintenance should include finding disabled user accounts, unused computer or user accounts, and passwords that are set to never expire. These identified accounts should be secured or removed, depending on your organization’s policy. This post provides three different methods for listing user accounts that have the password set to never expire.
Active Directory Password Never Expires Attribute
The AD Pro Toolkit includes Active Directory Reporting Software that can quickly get the password never expires attribute for all user accounts. See the steps below.
Step 1: Click on Reports
Open the toolkit and click on reports from the top menu.
Step 2: Select Password Status report
Under the “password status” section click on the “Users with a password set to never expire” report then click the run button.
You should now have a list of all the users in the domain that have their password set to never expires. In the screenshot below, the tool found 17 user accounts in my domain.
Step 3: Export the list
You can click the export button to export the list to CSV, XLSX, or PDF.
The toolkit includes many other useful user reports such as bad password time, passwords expiring soon, users that cannot change passwords, and many more.
Download the AD Pro Toolkit and try it for free.
Method 2: Get Password Never Expires Using Common Queries
In this example, I’ll use the common queries from the ADUC console to list all users with password never expires.
1. Open Active Directory Users and Computers.
2. Click the find button from the toolbar.
3. In the Find Common Queries window select Common Queries and Entire Directory. Check the Non Expiring Passwords box and click the Find Now button.
My search returned three accounts that have their password set to never expire.
Method 3: List Users with password never expires using PowerShell
In this last example, I’ll use the search-ADaccount PowerShell cmdlet.
1. Open PowerShell.
2. Type the command below and hit enter.
Search-ADAccount -PasswordNeverExpires | FT Name,ObjectCkass -A
You can also use the get-aduser cmdlet to get similar results.
get-aduser -filter * -properties Name, PasswordNeverExpires | where {
$_.passwordNeverExpires -eq "true" }The above command will filter all user accounts for the PasswordNeverExpires attribute and display only the users that are set to true.
Summary
In this article, we walked through 3 different options to get a list of users with password never expires. There are times when system administrators set account passwords to never expire and this can weaken your AD security.
As I mentioned in this article, you should have a domain password policy configured that requires users to change their password on a regular basis (for example, 60 days). To keep track of accounts that have the password never expires attribute enabled you to need to run regular reports on all user accounts. The AD Pro toolkit makes it very easy to generate reports on all user accounts.
Related: 2 Simple Ways to Find All Locked User Accounts in Active Directory
