Get List of Users with Password Never Expires Using PowerShell
Don’t delay if you want to get list of Users with password never expires in Active Directory. The longer you wait, the greater the risk of security breaches. Non-expiring user passwords are one of the top security vulnerabilities inside any AD, so their identification and rectification must be done ASAP.
Table of Contents
That is why we have put together quite a few strategies that can help you get the data ASAP. You may be logged into the AD workstation; luckily, there are some inbuilt solutions present right there that can help you. So, let’s start from there.
PowerShell Script to Get List of Users with Password Never Expires
Open a PowerShell instance and put in this code:
Get-ADUser -Filter 'PasswordNeverExpires -eq $true' | Select-Object Name, @{Name='Password Never Expires';Expression={'True'}}
You can apply secondary modifications, including more attributes, like when the user first logged in, how often the user logs in, and what resources they used in the last login session.
Then export the results in a CSV format this report can act as an important deciding factor to see if there is a need to reset the user password in Active Directory or not.
If you don’t see any account when you try to get list of users with password never expires i.e. the output is blank it can mean one of two things. Either your command is wrong or your AD environment has no accounts with perpetual passwords. Check the command and rerun.
In case the latter is true then this also is a security vulnerability. The entire organization may get locked out of the AD with no way of backdoor access.
That is why in many of the AD Audit checklists you will find the mention of an emergency access admin account.
Create an AD Admin Account Whose Password Never Expires via PowerShell
Open up a new instance of PowerShell on your AD workstation and enter:
Set-ADUser -Identity <AccountIdentity> -PasswordNeverExpires $true
Moreover, the Microsoft source for this command goes into great detail on how to add advanced functionality in the base script.
Script to Disable the Attribute on a List of Users with Password Never Expires
In the PowerShell interface type the following:
Set-ADUser -Identity <AccountIdentity> -PasswordNeverExpires $false
You can combine all of the previous functionality into a single script, which reads the data from a file and performs the changes accordingly.
This once again proves that you can not only get list of users with password never expires but disable it from PowerShell directly.
However, adding extra features makes the script too bloated, and it may shift the way of delivering inconsistent results. So admins would have to spend more time fixing the script than using it for what it’s made.
Admins can bypass all these limitations if they rely on a capable solution instead. You need not go anywhere else, as we have the right tool right here.
Stay Free from the PowerShell Password Never Expires Method with a Tool
SysTools Active Directory Reporting Tool has a built-in filter for this exact scenario. All admins have to do is set up the tool, and it will handle the rest.
The best part is that the tool can be used remotely from any workstation with a simple one-click admin validation. Not only that but, this tool can also give you the ad computer account password expiration date as well.
The tool can be used in a few easy steps, as shown below.
- Start by installing, then wait for the default credentials to fill up the screen and press the login button.
- Use the REGISTER DOMAIN CONTROLLER icon to add your AD.
- Type a suitable friendly name for your domain followed by its respective IP address in the space.
- Move on to the Domain Details section, where you perform the actual admin validation.
- Once done, click on Reports to open the section.
- You will find a filter with the name “password never expires” under the User workload. Click on it.
- The Report Formation screen opens up now you can get list of users with password never expires.
- Use the Date Picker (if available), then click on the Preview button to generate a view-only list of AD users whose password never expires.
- To get a CSV format copy of the list, toggle the Download option and Hit CSV. Save the report on your workstation.
Traditional Way to Get AD User Whose Password Never Expires
These are the very own solutions that admins use to perform a password change audit in the Active Directory so getting a list of users with non-expiring passwords is no big deal.
Use Active Directory Users and Computers Console
- Go to ADUC.
- Click on the Filter icon.
- Toggle the custom filter radio button and click on Customize…
- Inside change the tab to advance & Paste the following LDAP query to get users whose password never expires.
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))
- Press OK twice first to close the Custom Search option and then to close the Filter option.
Now you will see that every result that is not a user with perpetual passwords is hidden away.
This filter makes it easier for admins to locate the user objects when they scour through each and every OU.
Although ADUC allows for an in-built exporting option, admins may find it problematic to first scan every OU and then end up with multiple CSVs.
One positive outcome is that there won’t be any duplicate entries as a user can only belong to a single OU at a time. However, this is of little help as admins still have to spend a lot of time accumulating all CSVs together.
Get List of Users with Password Never Expires With Help From the AD Administrative Center
A similar method is available via ADAC with one key advantage that is you need not shuffle through the various containers to form a complete list. Here are the steps.
- Launch the Administrative Center
- Click on Global Search
- Toggle the “Convert to LDAP” option
- Paste this query “(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))”
- Click on Apply
- Select All results
- Press Ctrl + C
- Open Notepad (or other application)
- Press Ctrl + V
Now, you have a list of all users whose passwords will never expire. Both GUI methods available inside the AD itself have problems that cause unnecessary delays. A faster way would be to deploy code-based alternatives, so let’s see how.
CMD Methods to List Users in Active Directory Whose Password Never Expires
Net user command
- Press Windows + R
- Type cmd
- Press Enter
- Wait for the console to show up
- Type cls to clear the screen
- Enter the following command line alternative to the PowerShell password never expires cmdlet.:
net user %username% /domain | findstr “Password expires”
You will find a few other attributes listed in the result due to the query’s inability to perform an exact string search. Nonetheless, results are reduced to show the most prominent and related attributes only.
The %username% variable is a placeholder and, if used in its current form, will show the details for the currently logged-in user. If you are unsure whether a particular user has a non-expiring password, make a list of all users for that type
net user /domain
To get a list of all available users, then substitute %username% with the user name you want to check.
This method takes away the one critical advantage command line methods have over the regular GUI i.e. speed. If the admin has to manually replace the name every time they want to use the query for a new user. If your AD has just a few users this is not a big issue. However, when there are hundreds or thousands of users then this method is not practical.
So instead, what you can do is apply the dsquery alternative. You need not go anywhere else. In the same console, type cls and press enter.
Then put in this query
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=65536)" -attr name
We use such a complex numerical filter as there is no explicit Non Password Expiring Attribute we can call directly.
The password never expires flag is stored inside the userAccountControl attribute with 65536 as the equivalent integer value.
Despite the complex nature, it will perform the necessary tasks in a better way by listing out accounts all at once.
Conclusion
Now admins no longer have to struggle to get list of users with password never expires process. Here we taught users how to use PowerShell, and other command-line methods to get the data. Moreover, the discussion also went over the default utilities available inside the Active Directory itself. To top all of it we gave instructions on how to use modern software for such reporting purposes and provided the reasons for using it over the rest of the methods.
Frequently Asked Questions on PowerShell Password Never Expires Topic
Is having an Admin Account with non-expiring passwords mandatory?
Active Directory Management best practices suggest you should always keep at least one break glass admin account that has control over the entire AD. These types of super privileges stay dormant during regular operations but are extremely vital to deal with emergency scenarios like a mass lockout, cyber attack, etc.
You need not rely on just the PowerShell, such setups are possible via the GUI comments like ADUC, and ADAC as well.
Which ad attribute contains password never expires data?
You find the information right inside the attribute aptly named as “PasswordNeverExpires”.
I recently did a Cross Forest AD Migration, in my original forest, there were a lot of users with perpetual passwords do I need to check again in the destination?
Yes, as there might be some user accounts in a destination that may also have non-expiring passwords. In case it is a green field setup with no previous accounts to speak of then you can use the old list as well. Moreover, unlike the traditional solutions and code-based methods the tool can be used right away as soon as you set up the new AD IP and password.
