Tuesday, August 7, 2012

powershell & Active Directory: Find all users who have “Password Never Expires” enabled using Powershell.


In domain controller environment we all have some password policies set. In some organizations the users password is expired in 60 days in some 90 or in 180 Days.

User’s password must expired in the defined period, changing password often is a good security policy.

But when we create a user account some time by mistakes we select  “Password Never Expires”.

if  the “Password never expires” checked users password never expired.

07-08-2012 13-28-44

which is not good for user’s account security.

My todays task is to find all users , who have “Password Never Expire” checked. To archive this task we are going to use “Active Directory” module and “Get-Aduser” cmdlet with Filters Smile

Get-ADUser -Filter  'PasswordNeverExpires -eq $true'  -Server localDC | select name

 07-08-2012 13-29-42

After Get-ADuser cmdlet we are using –Filter to show all those account whose “Password Never Expires value is equal to True” which means enabled,and in –server parameter i am defining my domain controller, and  we are piping the output to “Select-Object” cmdlet and selecting to show “Name” property of the output to show.

and the output is below Smile 

07-08-2012 13-29-20

Now I can show that list to my manager so that we can fix them later Smile ..

Thanks for reading.


Aman Dhally

Buy-More-Twitter-Followers 4fb29548b6adc linkedin


  1. This comment has been removed by the author.

  2. This wasn't 100% accurate for our AD. A few users who had this box checked did not come up when I did the search and a few showed that didn't have it checked -- does anyone have another way to check this more accurately? I

    FYI - If your Powershell didn't recognize the "Get-AdUser" cmdlet, check out this page:


  3. Simple Command:
    Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass -A | Out-file C:\PassNerverexp.tx