In this guide, you will learn how to get a list of users that have the password never expires option enabled in Active Directory.
Passwords set to never expire in Active Directory poses multiple security risks including password compromise, compliance risk, and increase chances of phishing or social engineering attacks.
It is good security practice to regular audit your domain user accounts for any that have the “Password never expires” option enabled.
PowerShell: List AD Users with Password Never Expires Enabled
In this example, I’ll use get-aduser cmdlet to get all AD users with password never expires enabled.
Step 1. Open PowerShell
Step 2. Copy and run the command below.
get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, PasswordNeverExpires, DistinguishedName, EnabledStep 3. Review the list of accounts.
You should have a list of accounts like the screenshot below. The PasswordNeverExpires column will say True for accounts that have the option enabled.
To check a single account, use this command. Change identity to the account name you want to check.
get-aduser -Identity robert.allen -Properties PasswordNeverExpiresEasily Get AD User Password Never Expires using AD Pro Toolkit
With the AD Pro Toolkit, you can automate the password never expires report and include additional account details.
- Click on “User Reports” and select “Password Reports”.
- Select the “Users with a password set to never expire” report.
- Click “Run” to generate the report. You can also click browse to run this on a specific OU or group.
- To export the report click the “Export” button.
The above report includes the following details:
- displayName: Displays the account display name
- sAMAccountName: The users logon name
- passwordneverExpires: Shows true or false for the password expire status.
- pwdLastSet: The users password last set date
- badPasswordTime: The users last bad password time
- badPWdCount: The users bad password count since last successful login.
Automate Password Never Expires Report
This can help you stay in compliance by checking the account status on a regular basis (daily, weekly or monthly).
To schedule the password set to never expire report follow these steps.
- Click on “Scheduler”
- Click “Add”
- Enter a report name and set the credentials
- Select the report frequncy
- For the report category select “Password Status”
- For the report select “Users with a password set to never expire”
- Enter your email information and click “Finish”.
How to fix Users Password That Never Expire
What if you run the above reports and you find several accounts that have their password set to never expire?
You can bulk enable or disable the password never expires option with the AD Pro Toolkit. When using the bulk update users tool click the option button and select the options you want to enable or disable.
To enable or disable this option on single user accounts open the account in Active Directory and click on the “Account” tab. Check or uncheck the “password never expires” option.
Active Directory Password Never Expires Attribute
There is no password never expires attribute in Active Directory.
When using PowerShell, the PasswordNeverExpire property is a calculated property that comes from the UserAccountControl attribute.
This PasswordNeverExpire property essentially checks the userAccountControl attribute of a user object to determine if the password is set to never expire.
The UAC Decimal value for an account with password set to never expire is 66048. This UAC value can be different if the account has other options enabled.
You can check the userAccountControl attribute value by opening the Active Directory account and going to the attribute editor.
Summary
In this article, I showed you two options to get a list of users with password never expires. There are times when system administrators set account passwords to never expire and this can weaken your AD security.
As I mentioned in this article, you should have a domain password policy configured that requires users to change their password on a regular basis (for example, 60 days). To keep track of accounts that have the password never expires attribute enabled you should run regular reports on all user accounts. The AD Pro toolkit makes it very easy to generate reports on all user accounts.
