Skip Ribbon Commands
Skip to main content

Quick Launch

Todd Klindt's home page > Todd Klindt's SharePoint Admin Blog > Posts > How to find Active Directory users NOT set to PasswordNeverExpires with PowerShell
February 07
How to find Active Directory users NOT set to PasswordNeverExpires with PowerShell

I decided to blog this little nugget because everything I found on the web was exactly the opposite of what I wanted to do. Usually when someone is using PowerShell to look for users in the context of the PasswordNeverExpires property, they’re looking for users where PasswordNeverExpires is set to True and they want to set it to False. It’s generally understood that having passwords never expire is a security risk, so most of the time people want to hunt those accounts down. But you know me, I love a good PowerShell challenge and this week someone needed to find all the accounts where the passwords were allowed to expire, so I stepped up to the plate.

First, just for completeness I’ll include how to do the opposite of what I wanted to do:

Search-ADAccount -PasswordNeverExpires | select SamAccountName, UserPrincipalName

That will return all of the users in your domain whose accounts are set so their passwords never expire. In most cases, these accounts are hunted down and set so their passwords do expire.

If PowerShell can’t find the Search-ADAccount cmdlet make sure the Active Directory module is installed. If it’s not, use this command to install it:

Add-WindowsFeature RSAT-AD-PowerShell

Then make sure it’s loaded in your PowerShell host:

Import-Module ActiveDirectory

With that out of the way, how do we do the opposite, the thing I really needed to do? How do we find accounts that are NOT set to have their passwords never expire? It took some backward thinking, but here’s what I came up with:

Get-ADUser -Filter 'PasswordNeverExpires -eq $false' -SearchBase "CN=Users,DC=contoso,DC=com" | select name

If you’d like to see how many it is, you can use Count property like this:

(Get-ADUser -Filter 'PasswordNeverExpires -eq $false' -SearchBase "CN=Users,DC=contoso,DC=com").Count

And if, for some silly reason, you want to set these accounts so that PasswordNeverExpires is set to True you could do it like this:

Get-ADUser -Filter 'PasswordNeverExpires -eq $false' -SearchBase "CN=Users,DC=contoso,DC=com" | Set-ADUser -PasswordNeverExpires $true

Make sure you understand the security repercussions of this before you do it. In most cases this is a bad thing, but there are exceptions.




There are no comments for this post.

Add Comment

Items on this list require content approval. Your submission will not appear in public views until approved by someone with proper rights. More information on content approval.


Body *

Today's date *

Select a date from the calendar.
Please enter today's date so I know you are a real person


Want a message when I reply to your comment? Put your Twitter handle here.



 Please Support my Sponsors