PowerShell: Find Users with Password Never Expires

Accounts with passwords set to never expire are a security risk and should be reviewed regularly. In this guide, I’ll show you how to find Active Directory users with password never expires using PowerShell and the AD Pro Toolkit.

Table of contents

• Find Password Never Expires Users with PowerShell
• Find Password Never Expires Users with AD Pro Toolkit
• Active Directory Password Never Expires Attribute

Find Password Never Expires Users with PowerShell

In this example, I’ll use get-aduser cmdlet to get all AD users with password never expires enabled.

Step 1. Open PowerShell

Step 2. Copy and run the command below.

get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, PasswordNeverExpires, DistinguishedName, Enabled

Step 3. Review the list of accounts.

You should have a list of accounts like the screenshot below. The PasswordNeverExpires column will say True for accounts that have the option enabled.

To check a single account, use this command. Change identity to the account name you want to check.

get-aduser -Identity robert.allen -Properties PasswordNeverExpires

Find Password Never Expires with AD Pro Toolkit

With the AD Pro Toolkit, you can automate the password never expires report and include additional account details.

1. Click on “User Password Reports” and Password Set to Never Expire
2. Click “Run Report”

The above report includes the following details:

• displayName: Displays the account display name
• sAMAccountName: The users logon name
• passwordneverExpires: Shows true or false for the password expire status.
• pwdLastSet: The users password last set date
• badPasswordTime: The users last bad password time
• badPWdCount: The users bad password count since last successful login.

Active Directory Password Never Expires Attribute

There is no password never expires attribute in Active Directory.

When using PowerShell, the PasswordNeverExpire property is a calculated property that comes from the UserAccountControl attribute.

This PasswordNeverExpire property essentially checks the userAccountControl attribute of a user object to determine if the password is set to never expire.

The UAC Decimal value for an account with password set to never expire is 66048. This UAC value can be different if the account has other options enabled.

You can check the userAccountControl attribute value by opening the Active Directory account and going to the attribute editor.

Summary

In this article, I showed you two options to get a list of users with password never expires. There are times when system administrators set account passwords to never expire and this can weaken your AD security.

As I mentioned in this article, you should have a domain password policy configured that requires users to change their password on a regular basis (for example, 60 days). To keep track of accounts that have the password never expires attribute enabled you should run regular reports on all user accounts. The AD Pro toolkit makes it very easy to generate reports on all user accounts.

Related Articles

• Find Inactive Users Accounts in Active Directory
• Find users with a blank password
• Account Lockout Status Tool