I decided to blog this little nugget because everything I found on the web was exactly the opposite of what I wanted to do. Usually when someone is using PowerShell to look for users in the context of the PasswordNeverExpires property, they’re looking for users where PasswordNeverExpires is set to True and they want to set it to False. It’s generally understood that having passwords never expire is a security risk, so most of the time people want to hunt those accounts down. But you know me, I love a good PowerShell challenge and this week someone needed to find all the accounts where the passwords were allowed to expire, so I stepped up to the plate.
First, just for completeness I’ll include how to do the opposite of what I wanted to do:
Search-ADAccount -PasswordNeverExpires | select SamAccountName, UserPrincipalName
That will return all of the users in your domain whose accounts are set so their passwords never expire. In most cases, these accounts are hunted down and set so their passwords do expire.
If PowerShell can’t find the Search-ADAccount cmdlet make sure the Active Directory module is installed. If it’s not, use this command to install it:
Then make sure it’s loaded in your PowerShell host:
With that out of the way, how do we do the opposite, the thing I really needed to do? How do we find accounts that are NOT set to have their passwords never expire? It took some backward thinking, but here’s what I came up with:
Get-ADUser -Filter 'PasswordNeverExpires -eq $false' -SearchBase "CN=Users,DC=contoso,DC=com" | select name
If you’d like to see how many it is, you can use Count property like this:
(Get-ADUser -Filter 'PasswordNeverExpires -eq $false' -SearchBase "CN=Users,DC=contoso,DC=com").Count
And if, for some silly reason, you want to set these accounts so that PasswordNeverExpires is set to True you could do it like this:
Get-ADUser -Filter 'PasswordNeverExpires -eq $false' -SearchBase "CN=Users,DC=contoso,DC=com" | Set-ADUser -PasswordNeverExpires $true
Make sure you understand the security repercussions of this before you do it. In most cases this is a bad thing, but there are exceptions.