In this guide, I’ll show you two options on how to get a list of users with the password set to never expire. I’ll also show you how to update (uncheck) the password never expires box for multiple users.
PowerShell Get Users With Password Never Expires
In this example, I’ll use get-aduser cmdlet to get all AD users with password never expires.
Open PowerShell:
Copy and paste the script below:
get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, DistinguishedName, EnabledReview the list of accounts:
Output will be displayed in the powershell console.
Export to CSV:
To export the results to CSV use the export-csv command
Example:
get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, DistinguishedName, Enabled | export-csv -path c:\it\pw-never-expire.csv
Option#2 List All Users whose Password Never Expires with AD Pro Toolkit
In this example, I’ll use the AD Reporting Tool that is included in the AD Pro Toolkit.
Step 1. Open the AD Pro Toolkit.
Browse to User Reports -> Users with a password set to never expire
Step 2. Click “Run” to view the list of accounts.
Step 3. To export click the export button.
List Users with Password Never Expires in an OU
To list users with password never expires from a specific OU use this command. Replace the SearchBase value with the DN of your OU.
get-aduser -filter * -SearchBase "OU=Management,OU=ADPRO Users,DC=ad,DC=activedirectorypro,DC=com" -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, PasswordNeverExpires, Enabled, DistinguishedName
Detailed Password Never Expired Reports
Our Active Directory Management Software includes several detailed password status reports. In the example below, I list users with password set to never expire and include additional details such as badPasswordTime, lastLogon, and WhenChanged attribute.
How to Check Password never expires attribute for a single user
With Get-ADUser you can query the PasswordNeverExpires attribute for individual or all user accounts. Below is an example of an individual account.
get-aduser -Identity robert.allen -Properties PasswordNeverExpires
To get the PasswordNeverExpires attribute for all users use this command.
get-aduser -filter * -Properties PasswordNeverExpires | select name, PasswordNeverExpires
In this example, I use the select command to limit the output to only the fields I want.
The previous example shows both True and False values for PasswordNeverExpires. To find all accounts that are set to true you use the where command to filter the results.
get-aduser -filter * -properties Name, PasswordNeverExpires | where {$_.passwordNeverExpires -eq "true" } | select SamAccountName, PasswordNeverExpires, Enabled, DistinguishedName
How to Fix Active Directory Password Never Expires
Setting user accounts password to never expire is not recommended and can be a security risk. For regular user accounts, it’s best practice to have a password policy in place that requires users to change their password after a period of time (60 to 90 days is common).
What if you have a large list of accounts that have the password set to never expire?
You can use the PowerShell command below to change Password never expires to false.
set-aduser james.knutson -PasswordNeverExpire $false
Another option is to use the AD Pro Toolkit. With the Toolkit you can bulk set accounts back to normal and uncheck the password never expires box. In this example, I updated 33 user accounts.
Summary
In this article, I showed you two options to get a list of users with password never expires. There are times when system administrators set account passwords to never expire and this can weaken your AD security.
As I mentioned in this article, you should have a domain password policy configured that requires users to change their password on a regular basis (for example, 60 days). To keep track of accounts that have the password never expires attribute enabled you should run regular reports on all user accounts. The AD Pro toolkit makes it very easy to generate reports on all user accounts/
You might also like: